Phishing has become more common and more sophisticated on the internet as users and attackers become more savvy. While the standard Nigerian Prince (aka Nigerian 419 scam) is still present, most people are aware of it and no longer fall for it. E-mail filters catch these with high certainty, and even those that make it through the filters get caught by the untrained user in most cases.
The two most common causes of fraud we see reported to us are CEO Fraud and Spear Phishing from an acquaintance.
CEO Fraud comes in many forms, and increases in prevalence when new team members come on board. As CEO’s and other high-level positions are announced in the news, criminals frequently use this information to their advantage, knowing that no individual wants to upset the new boss.
This type of attack may come in many forms, but a common one is an email that looks like it came from an executive and is sent to someone in charge of sending money. There is usually an urgency in the request, making one feel as-if normal process controls can be skipped. Further, unless the account is compromised, the message might display the executive’s name in the header, but the e-mail address won’t match. Look at the sender, if it doesn’t make sense, it’s clearly not legitimate. Call them to verify (and don’t use the phone number in the message).
Another common way to identify CEO fraud is by looking at the email sender, if the sender doesn’t look right, it probably isn’t. An email sent by “John Smith, CEO United Way X <firstname.lastname@example.org>” isn’t from John Smith as neither the user (bettyford13574) nor the domain (yahoo.co.jp) are what you would expect to see. But, if the domain and sender look good — it may still be a spear phishing attack from a compromised account.
Standard scams are easier to identify, as the messages are not personalized. Any email opening of “Hello User” should trigger immediate concern, as the sender should know your name and use it.
Spear Phishing attacks are personalized and targeted. The attacker may have breached the other individuals e-mail account, read prior messages, and know what standard protocols look like. They can easily go through the sent folder, see what a prior wire transfer looks like (or other message), and send a fraudulent wire transfer request to accounting on your behalf. Or, they can send you a link to a document that generates a bogus OneDrive login page, and steal your username and password.
As noted in the CEO fraud section prior, follow standard protocols and contact the individual by some other means to verify the legitimacy of the request. If you receive a message from someone you know with a link on it, be suspicious if the link results in a page requesting your username and password. Once an attacker has your account credentials, they can pretend to be you and send messages in your name to others in the organization and further the scam.
How to Protect Yourself and United Way
Security isn’t something you have, it’s layered and a shared responsibility. No single solution is enough, and multiple layers of protection (Defense in Depth) are the best practice. Upic handles many of these practices on your behalf, but by working together we’ll create an even stronger defense, protecting you and your United Way.
Operational Security, or OpSec for short, is one line of defense. Know that you are being targeted for attack at all times. Take steps to protect yourself.
A common theme we see with many organizations is that they publish contacts on their website. This practice allows the criminals to readily get the names and contact information of targets for spear phishing attacks.
If names of individuals and contact information (e-mail, phone numbers, etc.) are published on your website, we recommend starting a conversation internally about whether or not that is needed. Publishing names, titles and phone numbers makes it trivial for an attacker to call or e-mail someone, pretending to be someone else in the organization.
Further, consider internal processes that are in place. How do you protect yourself from accidentally wiring money to an attacker and verifying that the request is legitimate? How do processes today account for the risk of future attacks, like Deep Fakes, that are on the horizon?
Security Awareness Training
Training users to identify threats must be an organizational requirement. While technical controls are important, everyone should be educated in how their actions can impact their personal and work security.
Last year we added a Security Awareness Training program, giving users annual training and continuous testing to measure program success and help identify who needs additional training. This program is available and recommended if you don’t have one in place today.
If you don’t want to subscribe to our offering, or another commercially available one, consider using the training material made available by PagerDuty, it’s free and not as comprehensive as our offering — but significantly better than doing nothing.
Multi-Factor Authentication , MFA (or Two-Factor Authentication/2FA), is a technique where logging into a system requires a username, along with typically a password and another identifier to gain access. By requiring something you have (a physical device) and something you know (a password), someone cannot gain access to a system without getting your username, password AND a physical device (your cell phone, for instance). Implementing MFA will virtually stop all phishing attacks from successfully compromising an account.
While Upic has been using MFA for years now, we would encourage all organizations consider implementing MFA on Office 365 accounts. MFA can be enabled on a per-user basis, and requires users to have a smart phone supporting the Microsoft Authenticator application (any recent Android or iPhone would work). Submit a ticket to the Member Services for assistance in setting up or trialing MFA at your United Way.
Why do I care?
You are a target. Remember, attackers are after all accounts at your organization, and your personal accounts. No matter your role, if an attacker breaches your account they can pretend to be you and use that to attempt to breach another account at your organization in your name.
Money and reputation are at stake. The attacker can pretend to be you, and will attempt to take money from you, your organization, or phish somebody else from your account; and if they can’t get money, they’ll try to take any information they get access to, to extract value from it. Billions of dollars are at stake.
The featured image is by flickr user kasperbs