This week, BC Hydro issued a press release regarding a phishing attack that has been spoofing their email to lure customers into giving up banking information in order to obtain a refund. Thousands of scam emails have gone out across the province and into an inbox near you. While the general public must always be diligent in watching out for email scams, cyber criminals are even more interested in going after SMBs and other organizations. After all, that’s where the money is.
With this commercial focus, phishing attacks are getting more sophisticated. Earlier this year, nationwide news broke about how the City of Ottawa lost an estimated $130,000 CAD of taxpayer funds to a phishing scheme. The city treasurer received an email from an individual claiming to be her colleague, the city manager, requesting a wire transfer for $98,000 USD to made to a specified account. After some back and forth email communication the transaction was completed. However, five days later when the treasurer received another wire transfer request for an additional $200,000 CAD (est.) a red flag was raised. Why? The treasurer and city manager were sitting together at the time of the email delivery. The treasurer quickly realized she had fallen victim to an advanced form of email fraud known as spearphishing, a cyber attack that targets individuals within an organization in order to obtain access to sensitive data and financial reserves. Sophisticated spearphishing is accompanied by extensive research about targeted individuals and their colleagues so that communications appear genuine. It is a very effective tactic that preys upon key personnel in a given business or organization.
The implications of commercial phishing are dire. Stolen funds are bad enough, but when customer/client data and accounts are compromised, your business runs a massive liability risk too. Then there are the punitive measures that may come with the recent update to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
We have provided tips to protecting your business from cyber fraud here, but with this new wave of targeted phishing attacks we think it’s time to identify the people in your company that are being singled out for email scams so that you can protect them, and ultimately your business.
5 Individuals in Your Organization That Are Being Targeted by Advanced Email Phishing Schemes
This is the most obvious target. Those in charge of business financials have the access and authority that cyber criminals need. They will search online (via your website, LinkedIn, etc.) to identify those in your company who may have authority to wire funds and pay invoices. Once ID’d, fraudsters will collect information on your accounting personnel’s colleagues along with suppliers, vendors, and other third parties so that they can create emails that spoof the respective identities, emails that they will use to request payments and money transfers.
A recent study found that business software credentials have surpassed financial account logins as the information that phishers want most. A cyber criminal would rather have access to company email and online business services such as MS 365, Google G Suite, Amazon Web Services (AWS), and any other cloud-based software-as-a-service (SaaS) than a single bank account number. Why is this the case?
With these credentials, a cyber criminal gains unfettered access to your entire company’s files. That means in addition to corporate financial accounts, they may get access to the emails and contacts for your internal staff, third parties, and customers/clients. They can go a lot further and do a lot more damage with this.
How will they go about getting these credentials? Attackers will pose as a support personnel from your software service vendor. They will spoof emails (or SMS) for MicroSoft, Google, Amazon or other SaaS provider applicable to your business, and claim that there was a suspicious login, that a password expired, or that the company subscription has reached expiration. Within the communication, they will provide a link that purports to lead to a password reset or subscription renewal, a link that contains a malware. One the malicious payload has been downloaded, your online operations may cease and your business will fall prey to ransomware.
Who commonly receives vendor solicitations regarding business software subscriptions? Your administrative personnel. When administration receives notice to take immediate action to avoid a disruption of online business services, they may do so to keep things running smooth, but in doing so they may inadvertently click a malicious link or attachment.
3. Customer Service
InfoSecurity Magazine reports that successful phishing attacks require a quick response from victims. In order to keep up with advanced cyber security software, phishers often change emails, domains, and malicious links within a few hours of a campaign being executed. Simply put, they need to target individuals in your business who will be more likely to check communications often, and will be more likely to respond right away. Who are these people? Customer service. It’s their job to stay on top of outside communications, and to respond immediately. Customer service personnel typically won’t take the time to scrutinize email sender validity, nor will they investigate links and attachments before clicking to open them – especially if the supposedly upset or concerned customer/client is making an urgent demand or claim.
4. YOUR SOCIAL NETWORK ADVOCATES
While there’s a long way to go, companies are making strides towards better email fraud awareness. Because of this, cyber criminals are ramping up social media phishing schemes to steal information and deliver ransomware.
In fact, social media is primed for it. It is fairly easy for attackers to collect personal information about executives in your company via LinkedIn, Facebook, Instagram, and Twitter. From there, they can create false profiles complete with photos, and then use those fake profiles to connect to other staff members who are highly active on social media. These socially active members may manage your company’s social profiles, or may simply be brand advocates from their personal accounts. Phishers can easily find and identify them by cross-referencing your online company directory with the same names and geographic locations on a given social network. From the fake profiles, they will connect via a follow or friend/connection request and from there initiate contact. This is highly effective when the relationship is “top down”, with a supposed superior connecting to a subordinate. Once the connection is complete, the phisher will use direct messaging on the social network to request sensitive information or to share a malicious link/attachment.
As the business owner or a top executive you’re the biggest target because you hold the key to it all. Cyber criminals want to impersonate you so that they can reach out to the individuals we’ve identified above, along with third party vendors/suppliers. By gathering information about you and spoofing your email they will leverage the authority that comes with your title to trick company staff into releasing sensitive information or transfer funds.
You’re the big fish when it comes to phishing schemes, so you will need to be more diligent than everyone else in the company, and set the standard for the rest to follow.
What Can You Do?
Now that you’ve identified the top targets in your organization, take responsibility as a corporate officer by holding a meeting to go over this phishing prevention plan with them. In addition, review your current cyber liability coverage to ensure that is comprehensive enough to cover all that may come from advanced phishing attacks that are plaguing the commercial landscape of British Columbia. Contact Park Insurance to receive an assessment right away.