Phishing is a form of fraud. The criminals aim is to get you to reveal access to bank accounts (phishing) or to get you to send money to an account that appears genuine (spear phishing).
This post continues our journey covering the everyday threats we face from cyber criminals. Please follow links at the base of this post to read associated posts.
These emails look like they come from a trusted source such as a bank or other online eservice. They ask you to login to your online account. They provide a justification along the lines of it is a security check or to you need to verify your credentials, re-activate your account or some other ‘vaguely official’ sounding reason. There will be a link in the email that you are encouraged to click.
Clicking that link presents you with the familiar login web page of that service. In fact, it will be a copy-cat web-page hosted by the criminals. If you enter your credentials to log in, they will keep a copy of your ID and password, for their future use.
Unfortunately, anyone can. You don’t need the highly developed IT skills that the BA attackers have, just their criminal act of will. Utilities and toolkits to perform phishing attacks are freely available on the internet. If you can follow simple instructions you can do this for yourself, with very basic IT skills.
The only line of defence here is your staff’s awareness of the threats, and their adopting a healthy caution. You need to foster a culture of ‘think before you click’. Staff should follow business best practices such as don’t re-use passwords on different systems.
In these attacks, a fraudulent email appears to come from a senior figure in your organisation, such as the MD. It is usually sent to someone in finance or accounts. It addresses them by name. It discusses one of your customers and explains that a payment must be made to them, today. It is both important and urgent. The sum to be paid and the bank details are provided. Of course, the bank details are not those of your customer, they belong to an account under the criminals’ control.
In terms of defence, you’re depending on your staff to be alert and attentive. These emails are worded very carefully. It is easy for the recipient to get swept along in fulfilling this urgent requirement for the MD, rather than stopping and thinking about the validity of it.
A spear phishing email sounds rather complicated to set up. Where are they going to get that insider information? You may be surprised at how simple it is. Most businesses have a website, and many websites have a Meet the Team page. That gives you all the information on personnel you need. If there are customer testimonials on the website, bingo, you’ve got a customer name.
You could almost certainly get that level of information from a combination of Google, looking on the Companies House website and using any of the company credit check websites.
Then send the company an email about any topic you like. Request a pricelist, ask about a product, ask if they provide a certain service. It really doesn’t matter, just as long as you get a reply. That reply will show you the format of the footer and the livery of their emails. That’s all you need to put together a convincing email.
To make it look like it came from the MD’s email address, you can download any one of a number of freely available utilities to spoof an email address.
So, this attack requires some deviousness but no real IT skills.
Once more, you are dependent on your staff being wary and alert. You must encourage staff to raise questions if they have the slightest doubt about the veracity of a requests. Senior members of the business must take being questioned as a comforting reassurance that the staff are being diligent, not as an annoyance that they are being questioned.