Phishing, spear phishing and whaling
Urban myth: SMEs are not targets of cyber attacks
You might think that your SME wouldn’t be a target for cyber criminals simply because larger companies offer greater opportunities, but you’d be very wrong.
Such complacency could be very expensive.
The total loss to SMEs from online fraud in 2015 was calculated at £9bn, whilst a 2016 survey of 1,000 SMEs by the Tungsten Network revealed that 50% of them had received suspicious emails or had fallen victim to cyber fraud and the average loss was £1,658. One sixth of all survey respondents had lost more than £5,000.
You’d think that we’d all become wise to this type of criminal activity but it would appear to be far from the case, Verizon’s 2016 Security Breach Report highlights that Phishing emails (see below for more information) remains an effective route into an organisation’s IT and financial infrastructure. One third of phishing emails were opened by recipients and ten percent even opened the attachments, leaving their PCs and networks open to infection and subsequent fraudulent activity.
2015 saw a significant increase in fake invoices, viruses arriving as bills and invoices, and other fraudulent activity including other demands for payment.
So, what are the threats?
An email purporting to arrive from a respectable source (it could a bank, PayPal, eBay, a colleague, etc.) An email that looks legitimate, contains an action that you have to carry out and an apparent link to the relevant website.
However, clicking the link actually takes you to a malicious website that looks like the proper thing, but which has actually been set up by the criminals with the intention of tricking you into entering confidential data (think bank log-ins or credit card details), or which will download malware to your computer that will start recording keystrokes (to capture bank access codes, credit card details, and so on).
It’s really easy to do – here’s a link that looks like it would take you to our website, Bristol IT Company and yet, if you hover your mouse over the link you’ll see the real destination.
Spear phishing attacks are not carried out by random attackers, they will have done their research and the attacks take email fraud to the next level by targeting specific organisations, or individuals within a business, with highly plausible emails, trying, again, to gain access to confidential data, IT systems and networks. These more specific emails tend to have a more genuine look to them than simple phishing emails – the grammar and spelling will be far better, for example, and they may address the recipient correctly (the bulk phishing ones often get even that wrong).
Whaling, a.k.a whale phishing, takes attacks to a new level. Rather than going after multiple, small payoffs, the cyber criminals are on the lookout for significantly larger successes: catching one-off whales rather than lots of minnows.
They’ll diligently research an organisation to find out who the board members are, and understand the senior management structure. This means they can specifically impersonate executives with highly plausible emails. Their actual targets are usually lower down the organisation – people expected to do what they are asked by the management.
They might hack into the email system, enabling them to send an email from a legitimate email address, or they’ll register domains that are very similar to those of the company under attack and where the address error may not be easily noticed, @bristolticompany.com or @bristolitcompany.co rather than the genuine @bristolitcompany.com, for example.
The email would typically be made to look as if it’s been sent by one of the executives, and go to someone fairly junior in the finance department, directing them to to push through a payment to a supplier. The supplier might be real, so might the executive, but the payment will go to a criminal’s account, from where it vanishes.
They fought the law… and the law lost!
In a cheeky variation on whaling, cyber criminals have even been successful in attacking the networks of a number of conveyancing solicitors.
They followed up genuine emails to house buyers, (containing payment instructions for deposits) with almost identical emails, but “apologising” for a clerical error and with the bank account details changed. So the money actually went from the innocent and unwary house buyer, into the criminals’ accounts instead of the solicitor’s one, stealing many thousands of pounds in one go.
How your company can avoid being phished
- Have technology in place to look out for suspicious emails
- Be alert all the time,
- Scam emails may even have authentic looking “Scanned by AVG” messages to try to fool you that they are safe,
- Regard your inbox as a potential danger zone and trust nothing,
- Take note of how key organisations address their genuine emails to you, so you can spot fraudulent mistakes,
- Always hover your mouse over a link before clicking it, so that you know where your click will take you,
- If unsure, manually type the correct domain into your browser rather than click on a link,
- Be mindful of the information you post on social networks,
- Be suspicious of requests for money transfers and payments that ask for secrecy or come with any pressure to act quickly,
- Never open attachments from unknown, untrusted or unexpected senders,
- Always be suspicious of changes to payment instructions: seek clarification/confirmation, preferably by phone, using contact details you already have,
- Educate all of your staff about the threats and risks (check out are Security eLearning page)
- If in doubt – phone the sender: we know it’s a pain but the pain’s a lot less than the possible loss.
Significantly, data security companies such as Sophos have an excellent track record in detecting the fraudsters, to prevent serious damage. Antivirus software can and should catch hacking and key-logging attempts, depriving hackers of the specific information they need to be convincing.
It’s a fast-moving combat zone, and one in which the “free virus scanning” solutions are unlikely to be able to keep up. It’s always worth considering the downside risks of just one of these attacks being successful: if not the actual loss, there may also be significant reputational damage, especially if you are a solicitor!