C-level executives and leadership teams send and receive volumes of sensitive business information each week. Criminal enterprises understand business processes and use phishing scams to target executives and those who report to executives. This reality is a focal point because the access to decisions and information is the greatest at the top.
This well-defined cybercrime process efficiently focuses criminal efforts toward high-payoff activities. These tactics are not limited to those inside the company, as board members, accounting firms, and law firms also store and transmit sensitive business data and are susceptible to targeted attacks.
Worldwide health concerns have made remote work prevalent. As distributed workforces collaborate, hackers utilize common platforms manufacturers, and suppliers use for communication, email. Due to the reliance on email for sharing documents or communicating with employees, cyber criminals have increased their focus on using phishing to infect devices with malware and steal sensitive information. Understanding what phishing is and identifying phishing emails are a few of the preventative steps that you can use to avoid such attacks.
What is the risk associated with phishing?
In the 2019 IC3 report, the FBI reported 114,702 reported phishing victims, 25,789 victims of spoofing, and 23,775 of Business Email Compromise (BEC), totaling reported losses of $2,134,864,500. We know that only a fraction of these crimes is reported each year, so just the reported losses in 2019 exceeded $2 billion. Reported losses continue to increase each year.
What are the consequences of not safeguarding data and communications with customers and suppliers?
- Potential loss of information containing customer and financial data.
- Loss of reputation from clients and customers.
- Increased risk of wire fraud from false payment requests.
- Increased risk of malware infections from malicious documents and websites.
What is phishing?
Phishing is a category of cyber attacks using email to either leverage unsuspecting victims into disclosing information or opening documents containing malicious content. According to Cisco, there are 5 types of phishing attacks commonly used. Those examples of widely used phishing attacks are:
1. Spear phishing
Unlike typical phishing attempts, spear-phishing campaigns target specific groups of individuals, such as managers or IT staff. Attackers likely target these particular groups due to the targeted groups having more access to sensitive or privileges on devices across a network.
2. Whaling
Like spear phishing, the target of whaling campaigns is usually high-level executives, such as CEOs, who often have the highest privilege across a business network and sensitive information.
3. Pharming
Pharming attacks are a type of attack where hackers will infect your computer with malicious code. This malicious code forwards the victim to a fictitious website that a user commonly visits, even if the correct URL is given. With pharming, the attacker’s goal is to collect user credentials for later use rather than gaining access to the network.
4. Deceptive phishing
Considered the most common type of phishing, attackers use deceptive phishing to trick users into submitting or disclosing confidential information. Deceptive phishing emails often look like emails sent from banks or websites asking victims to click on a link and log into their accounts.
5. Office 365 phishing
With the evolution of Microsoft products becoming available via the internet, cyber criminals have noticed the new opportunity. Attackers will use a crafted email that resembles one sent by Microsoft, asking the victim to log in. This attack aims to leverage user credentials that would allow the attacker access to the Microsoft Office 365 environment.
What is spoofing?
Spoofing is a scam in which criminals attempt to obtain someone’s personal or business information by pretending to be a legitimate person, company, or website. This method can occur through email, text messaging, phone calls, IP addresses, and DNS poisoning.
A spoofing attack occurs when a malicious attacker impersonates either a trusted device or a user on a network. The criminal will attempt to launch attacks against other devices connected to the network, steal sensitive data, and launch malware attacks. Bypassing access controls that would normally stop or prevent unauthorized users from accessing the network.
Who are highly targeted victims of spoofing within organizations?
- CEOs.
- Managing Partners.
- Presidents.
- CFOs.
- Finance Directors.
What is business email compromise (BEC)?
The FBI describes Business Email Compromise as a sophisticated scam targeting businesses that perform electronic payments, such as wire or automated clearing house transfers. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques resulting in an unauthorized transfer of funds.
There are many variations of BEC, also known as Email Account Compromise. One of the most effective variations of BEC is initiated through phishing emails that are designed to steal email account credentials from legitimate users. Cyber criminals use phishing kits that impersonate popular cloud-based email services in order to obtain the login credentials of multiple users within a business. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cyber criminal to target victims using cloud-based services. Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete key messages, and may also enable automatic forwarding to an outside email account.
Using the information gathered from compromised accounts, cyber criminals can also impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments are redirected to fraudulent bank accounts.
Cyber criminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one manufacturer or supplier can pivot to multiple victims within an industry.
What is social engineering?
In the context of this article, social engineering is the use of deception to manipulate individuals into performing actions that can lead to divulging confidential or personal information that can be used for fraudulent purposes.
Phishing attacks are part of a social engineering strategy due to the imitation of a trusted source that creates a seemingly logical scenario for cooperating. Using trust or curiosity, an email will typically contain two common methods in order to advance the criminal cause:
- Contain a link that draws your attention because the link comes from a customer or supplier and you’re curious. You’ll trust the link, click, and be infected with malware so the cyber criminal can gain access to your system, collect your contacts, and send malicious emails to them, just like you were deceived.
- Contain a download of pictures, wav files, and documents that have malicious software embedded. If you open or download the file, which you are likely to do, you become infected. Now, the cyber criminal has access to your system, data, email account, social network, and contacts. Then new attacks are launched to everyone you know.
A common occurrence with phishing emails
According to Symantec’s 2019 Internet Security Threat Report, manufacturing companies experienced at least 1 out of 369 emails containing malicious content. Usually, the malicious contents are not found within the email themselves, but within a document that is attached to the email.
Once the victim has downloaded and opened the malicious document, a script hidden within the document will run. Oftentimes, these scripts will instruct the computer to download and execute various forms of malware without the user knowing. The most common malicious attachments found with phishing emails are .doc/.dot, .exe, and .rtf files.
Does user awareness training help prevent fraud from phishing?
You cannot manage what you do not monitor or measure. Awareness training consistency reinforces the importance of security and creates a barrier to resist phishing attacks.
Each employee performs one or more functions in support of the business vision. Many of those employees use email to perform in their roles. The leadership team would ideally communicate why security is important to the organization and that everyone has a role to play in protecting the company. If the spirit of training is continuous improvement, receptivity and cooperation improve over tactics where management runs around with a big stick.
Telltale signs of a phishing email
Trying to decide whether an email is or is not a phishing attempt can be tricky, even for the more security-savvy person. Luckily, there are ways that a user can easily identify a phishing attempt. Cofense, a provider for phishing prevention services, listed 7 ways to identify a phishing email.
1. Emails demanding urgent action
Emails that have a subject title that suggests a consequence if not immediately acted upon are often considered phishing emails. Attackers will often try to scare their potential victims into opening the email, before allowing the target an opportunity to check the legitimacy of the email.
2. Emails with bad grammar and spelling mistakes
Emails from a legitimate company are often checked for spelling and grammatical errors before being sent.
3. Email with an unfamiliar greeting
Phishing emails often use a nonstandard greeting when addressing their potential victim. This is because the attacker either does not the victim’s full name or does not know how employees often greet each other in the work environment.
4. Inconsistencies in email addresses, links, and domain names
When inspecting an email, check the email address of the sender, and the URL of the link sent. If the email was sent by someone who you are unfamiliar with but has an email address that is similar to the organization’s email address, check there were any previous interactions from the suspicious email in the past. Alternatively, hovering your mouse over the link will reveal the real URL used. If the URL appears suspicious, do not click on the link.
5. Suspicious attachments
Emails containing files or executable programs should not be opened. Businesses often use programs such as Dropbox or SharePoint to share files.
6. Emails requesting login credentials, payment information, or sensitive data
Reputable companies or businesses will never ask you for login credentials. If you are asked to log into your account, make sure that the website is legitimate before submitting any information. If it is possible, call the company or business and verify that they had sent the email.
7. Too good to be true emails
Emails that portray a message of somehow receiving a reward are often phishing emails.
Changing the game: smishing and vishing
While a majority of phishing attacks are based around using email as a vector for attack, smishing (SMS phishing) and vishing (voice phishing) have become more prevalent in today’s interconnected society. According to a survey that Proofpoint had conducted in 2019, 84% of InfoSec professionals reported SMS/text (smishing) attacks, while 83% of InfoSec professionals faced voice phishing (vishing).
Barracuda Network defines smishing as “the act of committing text message fraud to try to lure victims into revealing account information or installing malware.” SMS phishing works in the same manner that email-based phishing does. The attacker will use publicly available information to craft text messages requesting an immediate response or action from the victim, such as following the link provided in a text message or submitting a One-Time Password (OTP) as a response.
Vishing is a method of phishing that is more focused on social engineering to gather sensitive information, such as employee usernames passwords, and can even be used to help identify other potential targets. With vishing, cyber criminals will often impersonate either an IT representative or an employee of a service that your company uses to day to day tasks.
While communicating with the first potential victim, the attacker will ask for a variety of sensitive information that can be later used. Vishing can be potentially dangerous because the attacker can potentially gain information about more desirable targets, such as an email or phone number for company owners, or information about employees that fulfill certain roles within an organization. Armed with the newly acquired information from the first victim, the attacker can then target other individuals within the organization, increasing the attacker’s probability of success.
What are the resource requirements?
Investments in email filtering, DNS filtering, endpoint protection (anti-virus and anti-malware), two-factor authentication, employee training cost, process changes, and maintenance are fundamental requirements. The budget depends upon the size of your team, compliance requirements, contract requirements, and other obligations and data protection liabilities your company has in place today. A process change can require little time or effort, such as no longer accepting email verification for wire transfers. Be suspicious of emails marked urgent.
How to stop phishing attacks
Unfortunately, the only 100 percent guarantee to stopping phishing attacks means discontinuing the use of email within your organization. However, the next best way to prevent phishing attacks is to train your employees on how to identify and report suspicious emails. Developing a response plan, even in the case that a phishing email is opened, and training on how to respond to these incidents is the best solution when dealing with phishing emails.
Phishing will remain one of the most common and successful methods for attackers to penetrate manufacturers. It is affordable, scalable, automated, and effective. Are you prepared?
We suggest that you conduct phishing campaigns that do not use generic simulation solutions. This allows you to assess the effectiveness of your current training program and determine areas where weaknesses exist. The results can also be an effective argument for starting a training program to help your employees identify phishing emails. It only takes one wrong click for cyber criminals to access your company data.
As a proud supporter of American companies, Certitude Security® is working diligently to inform leaders and facilitate essential asset protection priorities for manufacturers and supply chains throughout the United States.
Problem discussions can be a defining moment in your career. If you are interested in value creation, learn about SPOT-Beam™ by Certitude Security®. We look forward to helping you and your business succeed!