One of the most common ways that hackers and cybercriminals obtain your sensitive data is through ‘phishing’. Similar to the activity of catching real fish with lures, phishing aims to disguise electronic communications as trustworthy or highly attractive in order to deceive unsuspecting victims on their personal devices.
Generally speaking, a phishing attack will attempt to look and feel like an existing, trusted contact of yours, and are usually constructed as an email. By borrowing the same images, colors, fonts, and layouts, cybercriminals can almost exactly replicate a company’s email style to deceive their employees or network of partners. That’s how Target was famously attacked — through an HVAC company that worked with them.
Over the years, cybercriminals realized that people were less risk-averse and vigilant when it came to addressing their work emails, instead of their personal emails. Through that vulnerability, phishing attacks have managed to secure millions of dollars worth of funds or damage from companies, many of which are based in North America.
In order to protect your business from such a threat, it’s important that you work with your IT Managed Service Provider for protective software, written protocols, and employee training. The potential cost of not doing so is far too great to ignore.
Thankfully, many of the most successful phishing attacks can be relatively simple to spot with a little education. Here are some of the common attempts to look out for at your company:
Requests for Gift Cards
Around two-thirds of enterprise-based phishing scams are an attempt to have employees buy gift cards for their boss or colleagues. The reason for this is clear – employees don’t often ignore a direct request from the boss, and due to the nature of it being for a gift they are less likely to tell their colleagues about it. If a cybercriminal can get access to your team’s email addresses and send them all an email at the same time, there is a high chance at least some of them will work. Common gift cards requested range from Apple, Amazon, Steam, and Walmart.
This type of phishing attack is troublesome because it can target almost any employee, whereas most other phishing scams will be tailored to those in charge of payments and credit cards (such as Account or Finance departments).
The best way to counter this scam is to ensure any purchase requests are confirmed before processing. So, if your boss “requests” a gift card purchase, simply call and ask for verbal confirmation. Another way is to double-check the sent email address and compare it to your boss or colleague’s known and trusted email address — often they will differ.
Change requests from vendor to update payment information
This style of phishing attack is more personal and more catastrophic. A cybercriminal will target an individual at a company, usually in finance, and pretend to be one of their suppliers or vendors. They will often come up with a reason for needing to update your payment information, which appears to be completely innocent and standard for business.
In fact, Saskatoon city hall in Canada lost over $1M to a similar fraud in 2019, a large sum for a municipality. The emails themselves would have been very difficult to identify as a phishing scam, so the best preventative measure in this case is to ensure your company has strict protocols around the sharing of sensitive information including financial. In these situations, information shouldn’t be shared readily over email – instead, the requester should be confirmed and details should only be shared across a variety of already established, trusted lines. Ideally, any payment changes require verbal confirmation and approval.
Change request from an employee to update payroll
Similar to the supplier/vendor scam, another common phishing attack is for the cybercriminal to pose as an employee and ask the finance team to update their payroll information. Usually they will impersonate a senior employee, such as a CRO or CMO, and email the payroll officer with a brief but urgent-sounding message to reroute their next paycheck to a new account.
Of course, it’s not the employee and the new account is usually off-shore. As many companies started to put policies in place for large sums and wire transfers, cybercriminals decided to change tactics and seek smaller sums such as paychecks. They will often set up fake email addresses using free services like Gmail, then use the employees real name to make it look legitimate.
If in doubt, always call the person asking for such a change, and remember that most of the time an employee doesn’t actually need an urgent re-routing of such sensitive information.
These are just several of the many cleverly disguised phishing attacks that plague businesses across North America. Usually they can be thwarted with some smart, yet strict protocols and policies that your business should adhere to.
About Red Rhino
Red Rhino provides Managed IT Services, Support and Consulting to businesses in Vancouver and the Fraser Valley including Abbotsford, Langley, Surrey, Burnaby, Richmond, Coquitlam, Delta, and White Rock.