Photo Credit: © panandrii - stock.adobe.com
The following is part of Align’s National Cyber Security Awareness Month (NCSAM) Article Series and focuses on how to identify and avoid phishing scams. If you missed last Thursday’s article, read “Why Should Registered Investment Advisors Buy Cyber Coverage?” here.
Phishing is a popular scam tactic that attempts to fool its victims into giving out personally identifiable or company information. Many phishing attacks are driven by monetary gain, but in other cases they simply aim to wreak havoc on a specific company or even an entire country. Phishing attacks often take the form of fraudulent emails, some of which contain malware or ransomware that propagates when a user opens or clicks on the email contents. Phishing often relies on the use of social engineering techniques. Social engineering is a psychological tool that takes advantage of patterns of human behavior. One of these patterns being that people are inclined to blindly open email, especially if they are motivated by curiosity, fear, urgency or opportunity. Perhaps an email contains an urgent or intriguing subject line, or contains a document attachment that appears to be work related. Below we will explore some of the most common phishing email attacks seen in 2017.
Business Email Compromise (BEC)
One type of email phishing attack is known as the Business Email Compromise. Business Email Compromise, or BEC, attacks take a few different forms. The first is CEO fraud, in which a CEO’s email address has been successfully spoofed. Spoofing may require the attacker to create an email address that appears to have originated from the CEO, or the attacker has been successful at compromising the CEO’s inbox and is able to send out emails from the legitimate email address. Using the spoofed email address, the attacker will request an urgent wire transfer from another, likely less senior, employee. A less senior employee may be susceptible to this social engineering tactic which emphasizes the urgency and seniority of the request. In addition to the theft, the attacker may also decide to inject malware into the company to gain further infrastructure access and cause more damage.
The second form of BEC attacks are bogus invoice scams, in which the attacker again spoof’s the executive’s email account or gains access to their mailbox. The attacker locates a bill that is due soon in the executive’s inbox. The attacker then contacts the accounting department to change the payment location to an account that the attacker owns. Attorney impersonation is another common form of BEC attacks. If an attacker is able to successfully impersonate a company’s law firm they may request funds to settle a legal dispute or pay an overdue bill. The has FBI reported that the BEC scams cost businesses $3.1 billion. These attacks have increased by 1,300% since January 2015.
Ransomware is often delivered to phishing victims via fake email invoices. Attackers may schedule the phishing invoices to be sent specifically during work hours, to both make the emails appear to be legitimate, and to catch victims when they are somewhat distracted; another example of a social engineering tactic. Once the victim opens the email, they will see it contains an attached zip file, presumably containing the invoice, that once clicked on, executes the attacker’s ransomware. Ransomware targets and encrypts specific file extensions on a system, which in many cases will render the machine utterly useless. The files will remain encrypted until the ransom is paid to the attacker. Unfortunately, often times a ransom is paid by the victim and the files are not decrypted. Millions of users have been subject to this type of attack and have paid millions of dollars in ransoms. Ransomware is very effective and lucrative for attackers, and the number of victims will only continue to rise.
The Google Docs phishing scam has affected over three million people worldwide. While this scam has been in existence since 2014, the latest attack is particularly effective, in part because it looks very authentic. The attacker sends a fraudulent invitation to edit a Google document to the victim. After clicking the document link, the victim is led to a genuine account screen, which shows all of the Google accounts that they are presently logged into. The authentic screen only entices the victim to move further into this scam. After choosing the account to log in with, a malicious third-party app, masquerading as Google Docs, asks to be granted privileges to access account information. Granting this permission provides all of the victim’s account information to the attacker. This scam is particularly effective, not only because it mimics Google so successfully, but because the attacker can continue stealing information for as long as the victim is unaware that their account has been compromised.
How to Avoid Being Phished
Being that phishing email tactics have become increasingly sophisticated and convincing, the following may help you to avoid becoming a victim:
- Scrutinize the domain names of senders. At first glance @gmail.com may look similar to @gmail1.com. Attackers often take advantage of similar looking characters in order to spoof email addresses.
- Rather than clicking on embedded links in an email, hover over them.If the link address looks to be unusual, best not to click on it.
- Look for spelling mistakes. Authentic emails from well-known brands typically do not contain spelling or grammatical errors.
- Companies with which you have an account typically use your name.They will generally not address you as a generic “Valued Customer”.
- Banks and other companies never ask for personal information. Do not ever give out personal information or user credentials.
- Don’t be fooled by urgent language in the subject line. Remember that attackers are hoping to instill panic in victims when they read “Unauthorized login attempt”.
- Check email signatures. Legitimate senders almost always provide contact details.
- Do not open attachments from unfamiliar senders.
As demonstrated by some of the most wide spread and devastating phishing attacks, no one is immune to falling for a phishing scam. Educate your firm with employee security awareness training. Phishing training modules will allow your employees to become experts at identifying phishing emails; before they fall victim to phishing attacks in the wild.