Phishing – What is it and could it impact you?

Important information for any person that may run a business and deal with vendors or cliental via the internet in any capacity. As the world of technology continues to seemingly advance, so too do the ‘opportunists’ set in, criminals who look to advance their skills and take advantage of a society using the online world to communicate and operate their businesses.

Most people when hearing about the online world and the benefits of digital communication and online business transactions would believe that the online world would be making their lives easier and run more efficiently. The convenience of being able to quickly send an email to your business employees, clients or suppliers with instructions, orders or simply completing online payments saves time and, could have the potential to reduce daily operation costs.

But when beginning to run a business at what point are you informed about the modern-day criminal that can attack you and or break in without even breaking the security code at your premises? That as far as you are concerned everything from the outside looks and seems normal but on the inside they have been able to infiltrate. Being able gain access to all your businesses monetary earning simply through emails?

Have you been informed of a simple do and don’t list to ensure that your business is not leaving its doors wide open to international criminals that do not have to leave their own lounge chair to access you?

To paint the picture of what here is being discussed and the international impact of this criminal activity. Over a 12-month period world-wide there were 6.2 billion attempted attacks to businesses and organisation online. One of these avenues of criminal behaviour is called Phishing. Phishing attacks were responsible for as much as 73% of malware being delivered to organisations world-wide in only a 12month period.

To understand further this form of crime – Phishing is when a website, online service, phone call or even text message poses as a company or brand you recognise. In more recent years it has also developed to encompass masking as employees or even managers of the same business or organisation that you run or work for. The idea of phishing is as simple as it sounds throw out bait into the ocean of the world-wide-web and see who or what takes a bite. It is specifically designed to convince you to hand over valuable personal details, money or even download something that will infiltrate and infect your computer. The criminals phish for their potential victims by sending emails, social media messages, text messages or even phone calls with an urgent message of action in the hope of persuading someone to act immediately.

As a progression from your standard phishing attempt, criminals have also extended their focus to Business Email Compromising schemes also known as BEC. These are a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.

Business Email Compromise schemes usually begin from criminals phishing the executive or director of an organisation to gain access to their inbox or contact list. Once the criminal has taken access then one of the following five actions tend to take place:

• CEO fraud – In this form or attack the criminal has successfully hacked CEO’s email address. The criminal will then send email instructions to employees within accounts or the financial department instructing the transfer of funds or the immediate payment of a bill, all legitimised by the CEO or director. There will often be a note within the email that will emphasises the need for immediate or emergency action.

• Bogus invoice scam – Within this form of criminal activity the criminal will infiltrate the executive or directors email accounts, look at any bills that are needing to be paid soon and then contact the finance department instructing them to change the bank details of the upcoming bill as they have changed banks or accounts. This then means once the bill is paid it is paid into the criminals bank account without anyone knowing or thinking otherwise.

• Account Compromise – Similar to the above versions. An email account of an employee within the organisation is hacked and then used to make requests for invoice payments to the criminal accounts. The emails are sent to multiple vendors that are in the businesses contact list.

• Attorney Impersonation – Within this stage the criminal contacts either the employees and or the director of the company and identifies themselves as lawyers or a representative of law firms, claiming to be handling confidential and time-sensitive matters. This contact, typically made via phone or e-mail, done to pressure the contact to act quickly or secretly in handling the transfer of funds.

• Data Theft – This involves the email of role-specific employees in the company being accesses or hacked into and then infiltrated to be used to send requests – not for fund transfers but for personally-identifiable information of other employees and executives.

There are several other routes the modern-day criminal can take, but the above mentioned alone have seen an increase in Business Email Compromising Schemes or 2370% in the last two years. According to the FBI, BEC schemes have caused at least $3.1 billion in total losses to approximately 22,000 enterprises around the world over in the past two years.

To provide an example of what is here being described:

Example 1:

Sam is the corporate controller of ABC, Inc., an online furniture retailer. As part of his job, Sam approves wire transfers to ABC’s suppliers, many of them Chinese companies. One day, Sam receives an email from ABC’s CEO. The email says that ABC just completed negotiations to buy one of its Chinese suppliers. The email tells Sam to await instructions from ABC’s accounting firm and to speak to no one else about the sale. According to the email, SEC regulations require the details of the sale to remain confidential at this point. A few hours later, Sam receives an email from ABC’s accounting firm, which instructs him to wire $500,000 to a Chinese bank immediately. Sam approves the wire transfer.

Later, Sam discovers that both emails were fraudulent, that there was no sale and that he wired $500,000 of ABC’s money directly to fraudsters. ABC was the victim of a business email compromise (BEC) scam (also known as CEO fraud).

http://www.acfe.com/fraud-examiner.aspx?id=4294994000

Example 2:

The local council of the Australian city of Brisbane was targeted by scammers through fake invoices over the past month. According to reports, the scammers phoned and emailed the council posing as one of its suppliers, and were able to steal A$450,000.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/brisbane-council-loses-450k-aud-to-bec-scam

So remember – phishing online is a real occurrence and every organisation needs to be aware of 4 very simple possible ‘break in’s’ to your online business operation.

1. Criminals have the potential to pose as a boss of a company instructing staff to make online transfers into the criminals account.

2. Criminals may impersonate the IT department of a bank saying they want to make a test transfer – Key reminder: It may not be a test.

3. Criminals can claim to be a supplier and ask for outstanding invoices to be paid into a new bank account

4. Employees click on links within phishing emails containing malware (virus software) which authorises many small payments to the criminals account.

So what can you do to step up the security of your business:

• Carefully examine all emails. Do not just assume that the address is legitimate because it is in the address bar. Be wary of irregular emails that are sent by Directors or Staff. These can be used to trick employees to act with panic or urgency. If unsure call the person directly. Never assume. Review emails that request transfer of funds to determine if they are legitimate.

• Educate and train all staff within your business. While employees are a company’s biggest asset. Commit to training everyone according to the company’s best practices and reminding them that adhering to company policies is one thing, but developing good security habits is another.

• Verify any changes in vendor payment location by using other people within your organisation or by calling the vendor directly and asking for a letter by post to confirm such change. From here you can then use a secondary sign-off.

• Stay updated on your customers’ including their details, and reasons behind payments.

If you suspect that you have been targeted by a BEC email, report the incident immediately to the police.

References:

https://www.nttcomsecurity.com/us/uploads/documentdatabase/US_NTT_Security_GTIR_2017_Key_Findings_Focus_UEA_v1.pdf

https://threatpost.com/business-email-compromise-losses-up-2370-percent-since-2015/125469/

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/brisbane-council-loses-450k-aud-to-bec-scam

Related Tags: Cyber Abuse, Online Phishing, What is Phishing