Article

Five phishing scams your business needs to know about

Verizon’s 2019 Data Breach Investigations Report found C-level executives are 12 times more likely to be targeted by phishing scams than in previous years, with phishing involved in 33 per cent of data breaches last year. Here are five common phishing scams to guard against

1. HR or finance department salary switcheroo fraud

This is one of those phishing scams that you might think would never work, yet the evidence suggests it does. Call it “customer-​authorised fraud” or simply “impersonation”, but getting a salary diverted into a fraudulent account is easier than it sounds.

“Generally they will make out that something has changed, trying to trigger a click and submission of bank details into a phishing version of a real payroll site that the hacker believes the company is using,” says Matt Aldridge, senior solutions architect at Webroot.

With good intelligence about the payroll system in use, the social engineer, or crook, can craft a believable email and clone a site with legitimate logos and a closely matching url.

“In this way they can capture the real login details and divert the funds at a time of their choosing,” Mr Aldridge warns. “These types of attacks can be very lucrative if well executed against a poorly trained and poorly protected human resources team.”

This is because fraudsters “recognise the value of attacking using multiple weakness points”, according to Omri Kletter, head of fraud, Europe, Middle East and Africa, at NICE Actimize.

The challenge of detecting such attacks can be more difficult than in a retail environment, say, because the normal behaviour of a business is “often unpredictable and complex, and the beneficiaries multiple and international”, Mr Kletter points out.

Make sure the HR department know the fraud exists and “put in place a process which carries out a check through an independent route to the individual concerned”, says Dr Guy Bunker, chief technology officer of Clearswift.

2. Supply chain trust ‘ladder-​climbing’ fraud

How well do you know your suppliers? You probably don’t know their processes as well as the level of trust you invest in your dealings with them would suggest.

“Supply chain trust works both ways,” says Jake Moore, cybersecurity specialist at ESET. “You are as strong as your weakest link, but when this link is offsite and embedded in another company, you won’t know a vulnerability exists in the first place.” It is this that cybercriminals exploit in the supply chain trust ladder-​climbing fraud exploit.

“They work their way up the supply chain to bigger, better targets, using compromised email accounts of suppliers to exploit existing relationships,” explains Cath Goulding, Nominet’s chief information security officer.

The clever part of these phishing attacks is they are really hard to spot as they originate from an already trusted source. “This can trick finance teams into paying false invoices or sharing shipping information with the wrong parties, which in the current General Data Protection Regulation world could lead to large fines for the business,” Ms Goulding warns.

Think you’d never fall for a phishing scam that spoofs invoices from third parties with whom established relationships and payment history already exist? Think again. “Both Facebook and Google were duped in this way between 2013 and 2015, ultimately to tune of $100 million,” says David Mount, European director at Cofense.

However, tightening up financial controls makes it much harder for attacks against employees to succeed.

3. Phishing scams that bypass two-​factor authentication

Two-​factor authentication (2FA) is kryptonite to cybercriminals, preventing many an otherwise dead-​cert data breach by adding an additional layer of security into the user-​credentials mix.

“As 2FA is becoming more prevalent in enterprises, simple brute-​forcing, or sniffing, of passwords is not enough,” says Javvad Malik, security awareness advocate at KnowBe4.

Phishing scams, often looking to steal sensitive data and penetrate networks for the long term, are sophisticated and involve “multiple stages to take users to loading pages, which bypass any webpage filtering, and from there to the desired malicious page”, says Mr Malik.

The bad news is that it is becoming easier and easier for the cybercriminals to do this. “Recently on the dark market, we have seen new phishing kits that allow for the intercepting or mirroring of 2FA requests,” says James Houghton, chief executive at PhishingTackle. “The visitor to the website assumes this is safe when, in fact, there is a ‘man in the middle’ exploiting that layer of security.”

Think of these as the equivalent of a cashpoint-​card skimming façade being attached to the front of a legitimate machine to capture your PIN.

The fact that 2FA is increasingly understood to be “more secure” than a password alone, ironically makes this phishing scam easier to pull off as users are lulled into a false sense of security.

“User awareness is one of the only defences against this,” Mr Malik advises, “and so they should be on the lookout for text messages or emails claiming to be from a service provider with a link to enter 2FA credentials.”

4. Deepfake audio-​phishing

If you thought deepfakes were just fake news videos designed to spread misinformation at election time, you would be wrong. Deepfake audio, the computer-​generated synthesis of a real voice that can be manipulated to say anything, has arrived on the phishing scams radar.

According to Dr Matthew Aylett, chief scientific officer at CereProc, this weaponisation of deepfake audio “has already cost businesses millions through sinister new telephone fraud and scams”.

Oh yes, remember that not all phishing is carried out by email; telephone phishing is a very real threat.

“By using deepfake audio to replicate a boss, manager or colleague’s voice,” says Dr Aylett, ”HR teams could be duped into sharing confidential personal information and finance teams into handing over bank account details or transferring money to a third party.”

His concerns follow a Symantec warning that three chief executives were tricked by deepfake audio into transferring millions of dollars. “Hackers replicate the voices of business pros in a position of power using AI-​enabled speech synthesis technology and at present there is no defence against telephone-​phishing scams such as these,” Dr Aylett warns.

“Employees must understand the red flags that might reveal they’re being targeted by deepfake audio,” he advises. “They should ask themselves, ‘Does this person’s voice sound completely natural?’ If in doubt, hang up.”

5. Phishing attacks in the cloud

Brand impersonation spear-​phishing attacks featuring cloud providers such as AWS and Microsoft Azure are becoming increasingly common.

Steven Peake, pre-​sales engineer at Barracuda Networks, says recent research by the company found 83 per cent of spear-​phishing attacks involved brand impersonation and 40 per cent impersonated cloud providers. Analysis from FireEye also revealed attackers are getting ahead by using the cloud in phishing scams.

“Our most recent analysis showed how attackers are adapting their tactics, techniques and targets to changes in security defences,” Jens Monrad, head of intelligence, Europe, Middle East and Africa, at FireEye, explains.

The research also found those most at risk were Microsoft users. “Sixty-​eight per cent of phishing attacks use Microsoft branding and are also using cloud services more frequently to target businesses,” says Mr Monrad. Microsoft and Office 365 phishing attacks increased by 12 per cent quarter over quarter.

The most common cloud-​phishing scam techniques included spoofed emails, evasions based on captcha (completely automated public Turing test to tell computers and humans apart), multiple urls to mask a malicious link and nested-​phishing techniques, which use message attachments containing phishing urls.

“Knowing and learning from past incidents, as well as having insights into the ever-​changing cyberthreat landscape, can help organisations better prepare, prioritise and remediate the threat,” Mr Monrad concludes.