Phishing for Gold
With the rise in “Phishing” emails affecting hundreds of businesses a day in the UK, Texaport is working with our clients to implement industry-leading Mail Filtering solutions. These solutions help to identify, isolate and quarantine suspicious emails which could harm individuals and businesses either directly through an infectious attachment or indirectly through gathering security credentials, particularly passwords.
In an attempt to raise awareness of individuals and businesses as to the nature, implications, and methodology of some of the most common attacks through email channels please find a breakdown of the most common attacks below.
One of the most famous phishing scams of all time is the impersonation of an unknown “official” in a country or organisation who can’t be verified.
-The “official” requests bank details to transfer money into the recipient’s account which is also the same details used to transfer money out of the recipient’s account.
•To avoid falling victim to this, users should always verify the email address of the sender and compare the content to what they should expect to receive. If the offer seems “too good to be true” it usually will be.
Similar scams include the “Airport Lost and Found” email and the “Charity donation” scam. Both are designed to provide the recipient with a huge boon for very little/no work and will end up emptying their bank account(s) or siphoning their data.
These are the prolific spam emails claiming to offer “gift cards” or “rewards” to the recipient from common services which the recipient is likely to have accounts with.
-The danger here is similar to that of the “prince” scam where the recipient willingly discloses their financial details in the hope of being remunerated.
•Avoiding catastrophe with these emails is similar; vigilance and understanding. If there is a link in the email hover over it to verify the address that it will actually send you to as this can be masked very easily.
A more sophisticated and less obvious approach is for the sender to appear to be a service provider i.e. Microsoft. Historically these types of attack were perpetrated over the phone with “Microsoft” claiming to be able to clear a virus from an infected computer which the user hasn’t noticed. They would charge a fee to increase legitimacy and then either:
-Lock the computer until further payment is made
-Infect the computer with a piece of software which could gather additional information about the individual or operate in the background sending each of the individual keystrokes back to the criminal to identify bank details/email account details etc.
This attack has evolved to be effective through email by appearing to have been sent by “Microsoft” or other services claiming that there is an issue with either billing or account details. The email contains a link which appears genuine asking for the user to sign in, building legitimacy as the user feels that they are signing in to “Microsoft”. The page will usually look similar to the official “Microsoft” page to the untrained eye, but on closer inspection will be riddled with inaccuracies. Typically, when a user fills in their details they will be redirected to the legitimate sign-in page as if the username and password were incorrectly entered. By this time the user’s details have been sent to the criminal for use as and when they please.
-The danger here is that typically the service will be a “core” service such as email which would hold details of other services or accounts, the user stores their information in, such as bank details or online stores.
•To prevent succumbing to this attack we would recommend double checking the email address which sent the message to verify that the sender is legitimate. We always advise users to forward suspicious messages to their IT provider if they are in doubt as to the legitimacy of a sender.
A growing threat in email security is “Spear-Phishing” which is a targeted email designed to convince the recipient that the email is from a legitimate contact by using personal or professional credentials. A good example within a business environment is the impersonation of a CEO or Director requesting a payment or sensitive information. The sender will have their “name” set to that of the CEO/Director to fool the recipient into believing that the email is from them initially.
-The danger in this scenario is that the recipient will share the information or authorise a payment through valid channels without realising that this was not a real request.
•To avoid this, users should double-check the address which the request came from. It’s our recommendation that all business users should email using their business email addresses rather than involving personal addresses as this could muddy the waters. This way if an email is received from outside of the company’s domain (company.com) it can safely be ignored and/or sent on to the IT partner.
Securing your business should be your top priority, but sometimes the risk is with your clients or suppliers. You can also help your clients understand the risks of fraudulent email and minimise this by ensuring that they always verify the email address which distributes invoices to avoid a criminal masquerading as your business. Ensure that your process of client and supplier vetting takes into account their IT security and processes.
Simple steps to avoid falling afoul of email scams:
a.Don’t follow links in emails
b.Pay attention to the link in the email and ensuring it is legitimate
c.Verify the web address you have gone to is legitimate
d.Deploy a “Web Filter” which would block malicious or impersonating websites.
e.Check the sender’s email address
f.Verify that it is actually the sender by contacting them via another method (not responding to the email).
g.Do not communicate for business purposes with any email other than the designated official email addresses.
h.Involve other members of the team (where possible) to cross-reference the email/invoice etc.
As cybercriminals are able to exploit new vulnerabilities and deploy new tools to attack businesses and their supply chains, companies should be employing a holistic approach to the security and integrity of their data, hardware, and users to reduce the risk of this. Hardware and Data security are essential components of an approach to security, but these are redundant if the end user is unaware of the threats and can usher a criminal through the defences to sensitive data or systems.
There are of course many more types of phishing attacks, scams, and cons doing the rounds, but at least if we can raise awareness about these most common types the success rate should drop. If you have concerns about your Cyber Security or would like to find out more about how we could help your business email firstname.lastname@example.org