By Dakota Murphey
One of the most effective forms of cybercrime is phishing – the practice of sending emails that appear to be legitimate but trick recipients into disclosing sensitive information or installing malware. Cybercriminals are constantly thinking up new ways to fool their targets, so scams are constantly evolving.
It is important to keep your employees aware of how phishing scams are changing. Here are some of the most common phishing scams currently in circulation.
Invoice payment scams are sometimes known as Business Email Compromise (BEC) attacks. In conducting these attacks, criminals will typically seek to impersonate a senior company executive by taking control of or spoofing the person’s email account. By crafting compelling messages, they then attempt to trick known acquaintances of the individual into transferring payments for goods or services into alternate bank accounts.
According to recent figures released by the FBI, BEC attacks have cost businesses £9.52 billion in the US over the last five years.
These are similar to invoice payment scams but specifically target payroll and HR departments in order to change bank account details relating to employee salary payments. The payroll department changes the account details, and usually no one realises the change until payday passes and the employee realises that they haven’t been paid.
In December 2018, the US’ Internal Revenue Service (IRS) was forced to issue a warning after observing an uptick in such attacks.
This occurs when a business receives an order from a well-known organisation or institution. The business takes for granted that the order is genuine and fulfils the request without having first received payment. The order usually turns out to be false and the good are shipped to a location that looks legitimate but is easily accessible to the criminals behind the scheme.
A recent example of this involved a fraudster imitating a university and causing a business to lose in excess of £350,000. These scams can be very effective because they often rely on the name of a well-known organisation that the victim feels they can trust.
Over the last three financial years, the institution has received more than 2.6 million reports of phishing– with approximately 20,000 spoofed sites being taken down in 2018 alone.
Like distribution fraud, HMRC scams are successful because they rely on the reputation of the institution being imitated. An e-mail informing of a significant tax rebate is likely to be well received but sadly, is often too good to be true. This causes businesses and individuals to forget about the normal checks and precautions they would take.
When a system or application is popular you can guarantee that it will become a target of criminals. So, the fact that Office 365 is so frequently used across businesses means that its users are now a regular target of phishing attacks. Recent Office 365 scams include fake security alerts, meeting requests and non-delivery email notifications.
Users might be sent an email that requires them to sign in to their Office 365 account – however, they are then sent to a spoofed site where their details are harvested.
Final Thoughts…
With phishing scams evolving all the time, it is important to continually improve employee awareness in order to mitigate the security risks to your business. It is a great idea to monitor the news to help identify new types of attacks and use any information gained to help inform employee awareness programs. Simulated penetration testing is also a great way to help improve the awareness of your employees and has the added benefit of enabling you to track and measure the success of training efforts.
Dakota Murphey has a wealth of experience in business management and has previously worked as a business growth consultant for over 10 years. She now enjoys sharing her knowledge through her writing and connecting with other like-minded professionals. Find out what else she's been up to on Twitter: @Dakota_Murphey
