Phishing email attacks are not a new thing they have been around for years. However our technical teams have recently seen a considerable increase in the frequency of these type of attacks. In addition, more recently these attacks have been preceded by coordinated social engineering to make them even more effective at trapping victims.
So what is phishing?
Phishing is a process where criminal gangs and malicious attackers try (and often succeed in trying) to obtain confidential information and passwords from unsuspecting users by pretending to be from official bodies such as banks, Ebay, Amazon etc, asking you to update or confirm information they hold on you.
Happily, most computer users have got used to these attacks and are generally more cautious in answering these spoof emails. Furthermore, spam filters are getting very wise to these attacks and thankfully, although you will see them, most are getting stopped before appearing on your desktops.
However there is a new threat
It is very real, very frequent, very dangerous, exceptionally convincing and unfortunately there have now been numerous criminal successes to many business.
The new threat appears to be using a mix of both social engineering and phishing techniques, this combination is proving very successful to unsuspecting recipients.
Attackers are using social information gathering methods such as trawling your website (to gather staff information from your contact pages) or other social media such as LinkedIn, Twitter and Facebook to find people that are associated with your company. Often the chosen individual is a Director or other C level individual.
The main reason behind this initial research is due to the final distribution method of the attack, the most common method of these is Email.
One common technique we have seen is where attackers will re-engineer their research to setup fake domain names (that are very similar to the corporate domain) or spoof the real address.
The email sent will then appear to come from someone important from within your company asking someone else (who is also likely to be a decision maker) to perform some sort of action such as make a payment or give up more personal information. Ultimately the payment (if carried through) ends up in the attacker’s bank account and there is very often little you can do about this once it has happened.
This is happening, and it’s happening to business like yours today.
Whilst the above example is probably the most common, there are other variants. The common points to look for (but not limited to) are:-
The email legitimately appears to be from either:-
- Another member of your staff (especially a senior one)
- A client
- A supplier
They involve money transfer requests:-
- Requesting bank account details
- Authorisation to pay invoices
- Requests to engage in email correspondence to discuss transfers
Even the highest levels of security lock down (with state of the art Spam and Virus filters) are not preventing many of these attacks getting through, they are very sophisticated and dangerous
How can you prevent your business being caught out?
The first step is to communicate the threat. Giving your staff advice and having them take simple actions to protect themselves. For example: hovering over hyperlinks to show true destinations. Additionally, it should be advised to not respond directly to random requests however real they may appear (with company logos etc) and to check in person with the requestor if you are at all suspicious. By implementing these simple communication methods a level of protection can be enforced by your staff on a day to day basis.
However, our suggested best form of defense is to introduce, and/or reinforce your own internal staff process and procedure for security – “checks and balances”. These processes should be followed at all times even if the request comes from a Director, Managing Partner etc.. as it is most common that these levels of individuals are being targeted.
We have seen it happen.
There are technical security improvements that can also be made to your IT systems. These include (but are certainly not limited to) implementing a quality email filtering system from a reputable supplier. Additionally it is very wise to set up Sender Policy Framework (SPF) records in your company’s DNS to ensure emails are far harder to spoof from your own domain name.
Taylor Made is in a position to assist and provide advice on how to secure your IT systems and this forms a large part of our strategic engagement with our customers. However, it is important to highlight these attacks are taking advantage of organisations’ own business security policies. These are being abused using IT email as the medium (in the past the phone was used by many gangs to convince people to part with confidential information).
Do not assume this will not happen to you. Take action now and make sure your staff are aware.
We have experienced real examples of companies who have parted with many thousands of pounds, and so we are advising vigilance and a detailed review of the controls that you have in place.
For further information on IT Security or our Strategic Support Solution itBusinessCare please do not hesitate to contact us on 01329 239900