It’s a Great Day to Go Phishing!
Every fishing enthusiast will tell you that one of the best times to go fishing is in the Fall to get the best action. So too, phishing experts agree that phishing and other types of fraud increase in the Fall because of increased consumer activity. According to a 2020 Experian surveye in four) of the respondents were a victim of holiday fraud. The figure is up 12% from the survey responses a year before. This means Fall 2021 is expected to set a record for phishing and other types of fraud.
Spear Phishing - Show Me Who Your Friends Are
While phishing uses a general, non-personalized email to a broad audience, spear phishing, on the other hand, used personalized emails to appear more legitimate to the recipient. By sending personalized emails under the guise of trusted brands or known associates, consumers fall prey to fraudsters attacks. Spear-phishing attempts are not just directed at consumers.
It’s important to remember that the Target data breach was not a direct attack on Target’s internal network. Their HVAC Refrigeration vendor was breached, which gave the criminals access to Target’s data systems. As with every phishing attack, a simple Google search showed Target’s supplier list, making it easy for the attackers to send out phishing emails to their vendors. A simple spear-phishing email was sent to Fazio Mechanical, Target’s refrigeration contractor. At least one employee took the bait and clicked on links that allowed the Citadel trojan to be installed on Fazio’s computers. For those of you who remember the ZeuS banking trojan, Citadel is a variation of this menace. This malware harvested login credentials to the Target Supplier Portal. From there, the attackers were able to undermine their internal Windows Servers. These criminals stole 40 million credit card numbers in the most significant data breach at that time.
To this day, Target has never disclosed how the attackers were able to do so or what vulnerabilities were exploited. Still, there are several possible scenarios, including a SQL injection or XSS to attack their systems. Target paid an $18.5 million settlement to resolve state investigations of their cyberattack. However, Target estimated the total cost of the breach was about $202 million. This is an expensive lesson in modern-day vendor relationships. You may believe your own systems are safe, but you are only as secure as the vendors you do business with.
Whale Phishing - The bigger they come, the harder they fall
For the most part, executives are shielded by deputies, assistants, and security guards, who all make it just a little bit tougher to speak directly with anyone in the C-Suite. However, if a fraudster can gain access to an executive’s confidential information, that opportunity can yield a financial score. Since executives have the authority to make high-value decisions and authorize higher-dollar payments, whale phishing targets executives so the criminals can gain access to the highest possible authorization. Using the executive’s credentials, high-value transactions can be made by the business to fraudulent accounts. In whale phishing, the CEO is the target.
In 2020, one of the co-founders of hedge fund Levitas Capital clicked on a fake Zoom invitation link where the attackers tried to steal $8.7 million through sending fake invoices. Ultimately, they only got away with $800,000, but the reputational damage caused Levitas to lose their most significant client, forcing them to close.
This is not the same as CEO fraud, where a senior executive is impersonated to target a junior employee. In this scenario, a member of the management team receives a fraudulent email under the guise of the CEO to complete a financial transaction. For example, the management team member may receive an email where the CEO wants to have a company appreciation day by providing $100 gift cards to every employee. The transaction to buy the gift cards sends the money to a fraudulent account.
Brand Impersonation - Nothing is as it seems
Well-known brands that are regularly impersonated by scammers include Bank of America, Chase, Netflix, Microsoft, Amazon, and AT&T. Customers and non-customers alike receive emails with legitimate-looking details and language alerting them to issues with their billing or account details. The email urges the recipient to take action by clicking on a link that takes them to an account login page to correct the issues. Links are usually very close, sometimes only one or two letters off from the real domain. Today, Microsoft is the most impersonated brand in the world. Therefore, it is crucial that consumers and employees are educated about clicking on false links in phishing attempts.
Angler Phishing - Any which way but loose
Angler phishing is a form of brand impersonation where criminals pretend to be a customer service agent for your company on social media. About 55% of angler phishing attacks were customers of financial services companies. A customer makes a social media post about their hold time or other dissatisfaction, and a friendly “customer service agent” quickly reaches out to apologize for the inconvenience. The fraudulent customer service agent purports to offer the customer assistance by asking them to confirm account details to resolve their issue. However, this “helpful” customer service agent is not with the customer’s financial institution. In fact, that financial institution does not have a separate customer service team for their social media account.
These attacks are perpetrated by criminals who set alerts and notifications for customer service keywords from specific organizations. By doing this, they are more prepared and “available to help” resolve issues as they arise. To counter anglers, financial institutions need to be prepared by dedicating resources to monitor, quickly respond and proactively manage social media accounts to foil attempts to gain client information through this phishing scam.
Consumers are more open than ever to do business via text message. Unlike email-based phishing, smishing sends a text message to a user’s phone, usually with links for consumers to click on. For example, in 2018, hackers in Ohio sent smishing messages pretending to be from Fifth Third Bank, telling them they were allowed to use their phones to get cash instead of the ATM. Hackers got 125 customers of Fifth Third Bank to give their usernames and passwords, enabling them to steal $106,000 from ATMs in Ohio, Michigan, and Illinois.
Today, the pandemic has left millions of Americans on unemployment benefits. The Federal Trade Commission has received complaints about hackers targeting individuals with text messages asking them to verify personal information or make corrections on their unemployment benefits application by clicking on a link in the text message. By clicking on the link, hackers were able to steal the consumers’ usernames and passwords, change the necessary information, and steal their benefits each month.
Vishing - Yes, people still use voicemail
For those of us who still find voicemails necessary, vishing involves attackers leaving voicemails asking consumers to take action. This involves visiting a phony website or calling a phone number to take some action where that individual will need to disclose personal information or user data. These voicemails use specific details to local banks, businesses, and even the local police department. Others use Caller ID spoofing to hide their actual telephone number and pretend to be from a legitimate organization.
Tis the Season for Fraud
Preventing fraud and cyberattacks this Fall requires a continued effort to educate staff and members on all the various types of fraud and the different touchpoints where they may be encountered. Fraud prevention strategies for your institution include proactive monitoring of not only your internal systems but external social media accounts as well. As illustrated in the examples above, fraudsters will exploit any opportunity at the corporate and consumer level to steal money.
These fraudsters do their homework by obtaining credible information to make their scams believable. They monitor the content of a brand’s advertisements, social media accounts, and even register for email updates/newsletters to learn the “voice” of the organization. They can create credible advertising or account-concern emails to trick consumers into revealing their account credentials with that common information. The best deterrent against these schemes is ongoing education for members and employees.
Finally, think about the opportunities that remote work has created for these schemes to flourish with the increase of emails and corporate login credentials for online tools such as virtual meetings. An increase in electronic communications equals an increase in the opportunities for fraud.