Special Report: The Anatomy of a Phishing Scam

Updated 12/15/2021

Cybersecurity

What would you do if you knew that every 11 seconds someone was trying to break into the homes in your neighborhood?  You’d likely be on high alert, buy the best locks and alarms you could afford, do anything and everything you could to ensure the safety of your family and property.  

Well, there’s a startling prediction by Cybersecurity Ventures that says this is happening now, but to our businesses; specifically, that there’s a ransomware attack on a business every 11 seconds.  

Since, however, these robberies occur in the virtual world, they seem less threatening than say an attacker at your back door. However, when a cyber-attack does happen the feelings of shame, anger, and loss of control are the similar. 

In this article, we are going to help you and your employees recognize and avoid falling for a phishing attack, business email compromise, or paying a fraudulent invoice.  

There are 3 important things you should know about phishing scams:

  1. Phishing emails and social engineering are just one of the ways they fool your employees into downloading malicious software/ransomware. 
  2. People are easier to hack than computers. 
  3. 85% of breaches involved a human element

What are Phishing Emails and Why are They So Effective?

Phishing emails are fraudulent emails that use social engineering, (psychological and emotional manipulation), to trick the recipient into: 

  1. Giving up sensitive financial information. 
  2. Giving up their credentials (passwords and usernames). 
  3. Transferring large sums of money to criminals or paying fraudulent bills. 
  4. Installing a malware virus such as ransomware on your company’s network. 

The emotional manipulation can range from inducing fear and panic that an account will be closed or that their manager or CEO needs them to buy gift cards for a client, inducing the employee to perform an act that will please upper management.

See example below:


Anyone Can Be Fooled: Business Email Compromise

Imagine that your employee receives an email from a trusted vendor requesting payment to a new bank account. The email looks exactly like the invoices he’s received in the past and contains enough information about your company’s relationship with the vendor to appear credible.

However, unbeknownst to your employee, your company has been under cyber-surveillance. Through the company’s internet presence, the hackers have been able to determine the identity of some of your clients and vendors.

As a result, they’ve crafted a clever email using a spoofed (fake) address that looks similar to the one’s your employee has received from the vendor in the past.
See this sample from our trusted partner at AppRiver:

Many times, attackers will attach a .pdf file containing instructions on modifying wire transfer or ACH payment information. This is to add a sense of legitimacy and attempt to evade some email filters which have trouble extracting information within a pdf….This attachment is an attempt to deceive the recipient to update their ACH payment information for future invoices. This way future payments for invoices route to the attacker instead of the legitimate bank account.

Many times, attackers will attach a .pdf file containing instructions on modifying wire transfer or ACH payment information. This is to add a sense of legitimacy and attempt to evade some email filters which have trouble extracting information within a pdf….This attachment is an attempt to deceive the recipient to update their ACH payment information for future invoices. This way future payments for invoices route to the attacker instead of the legitimate bank account.


What should your employee do if they’ve received an email like the ones above?

1.DO NOT: Respond to an email directly that is asking for an un-scheduled payment, change in payment method, or payment to a new bank.

2.DO NOT: Click on any links or call the phone number included in the email.

3.DO NOT: Download any attachments

4.DO: Attach the email as an attachment and send to your IT team for verification.

5.DO: Call the vendor directly to verify request. Use the phone number in your files NOT the one included in the email.

How to recognize a phishing email

As stated previously, it’s easier to hack people than it is to hack a network. For that reason, phishing emails are designed to by-pass your company’s anti-virus, anti-malware, and firewall and play on your employee’s fears (or aspirations as in the examples above).

In the example below, there is a threat that your account will be suspended. This email is looking to capture your employee’s credentials:


However, there are tell-tale signs that this is a phishing email. See the example below:


The best defense is to take a pro-active risk-based approach to your data and network security.

8 ways to protect your profits, reputation, employees, and vendors:

1.Share the information in this report with your employees today. It’s important to start a conversation with them about phishing email scams, engage in regular training sessions to help them spot a phishing email, and put a reporting mechanism in place so your IT department is made aware of the issue.

2.Invest in an on-going security awareness training program. Cybercrime is not going away, in fact, it’s only getting worse. Teach your employees how to defend themselves and the company against cybercrime.

3.Invest in Multi-Factor Authentication for your VPN.

4.Protect your email accounts with Multi-Factor Authentication.

5.Don’t allow your employees to shop, visit social media sites, or check their personal email from any devices that are on your network. This includes laptops, mobile phones, or tablets.

6.If you get a request for payment from a vendor to a new bank, call the vendor to confirm (but don’t use the phone number given in the email or respond directly to the email).

7.If the CEO of your company sends you a request to pay a consultant that you’ve never met, then call the CEO to confirm.

8.Have a data and network security assessment completed. You may have potential security risks that you’re not aware of.

If you have questions or would like to schedule an security assessment, please contact us at 866-680-3388 or email sales.dept@consilien.com. We’re here to help.

Sources:

https://cybersecurityventures.com/annual-cybercrime-report-2019-to-2020/

https://www.ibm.com/security/data-breach “Verizon 2021 Data Breach Investigations Report”

https://appriver.com/blog/201409malware-claiming-to-be-from-bill-com

https://appriver.com/resources/blog/september-2019/examining-office-365-phishing-email

https://appriver.com/blog/business-email-compromise-attacks-via-name-impersonation