☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: phishing

Recruitment Firm Falls for a Phishing Scam

Posted on by

Social engineering involves the use of deception to manipulate individuals into carrying out an act such as transferring money, handing over confidential information, or clicking on a malicious link, and it’s causing serious financial harm to organizations around the world.

Any organization that transfers funds electronically can be susceptible to social engineering attacks, which can result in the company mistakenly transferring funds to fraudulent third parties. However, it’s not always businesses themselves that are tricked into transferring funds, but their customers. In some cases, fraudsters will impersonate a business, intercept communications between the business and a customer, and fraudulently redirect funds that were due to be paid to the business for the goods or services it provided. This can potentially result not only in strained relations with customers but also, in many cases, with the business being left out of pocket for the money that was owed.

One of our policyholders affected by such a loss was a recruitment and staffing firm. The firm provides recruitment services across a range of industries, including banking, insurance, manufacturing, and technology, and the positions that the company helps to fill range from entry-level jobs to senior executive roles.

Credential phishing opens floodgates
The scam began when a member of the recruitment firm’s accounts department fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this instance, the recruitment firm’s employee received an email purporting to be from a spam filtering service. The email explained that some of the employee’s outbound emails had been blocked by the spam filter, but it went on to explain that emails coming from the employee’s account could be unblocked if the employee clicked on a link and verified his email address by inputting his details.

Not wanting to have a situation where important invoices to external clients were blocked by this spam filtering service, the employee clicked on the link and entered his email login details to verify the account. Unfortunately for the recruitment firm’s employee, however, he had unwittingly handed his credentials to a fraudster.

To make matters worse, the recruitment firm did not have multi-factor authentication enabled for remote access to all company email accounts. This meant that the fraudster was able to gain access to the employee’s account remotely without having to go through a second verification procedure, such as inputting a verification code or number. This allowed the fraudster to peruse the employee’s email account, monitor communications to and from the account and gain valuable information about the nature of the policyholder’s business and the employee’s role within it.

What the fraudster found was that as part of his role within the recruitment firm’s accounts team, the employee was expected to send over invoices to client businesses following the successful placement of a candidate at the hiring company, with the recruitment firm charging a percentage of the newly employed candidate’s salary as commission.

Spotting an opportunity, fraudster pounces
The fraudster was clearly looking for a lucrative opening to appear, and as it happened, the employee was in correspondence with a client business operating in the technology sector, whom the recruitment firm had recently helped in the hiring of a Chief Operating Officer. Following the successful placement of the candidate for the role at this company, the recruitment firm’s employee in the accounts department had sent over an invoice for $77,000 to the technology company. Having spotted an opportunity, the fraudster chose this moment to strike.

The first step was to set up a forwarding rule in the employee’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within a certain criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the technology company’s domain name were immediately marked as read and sent directly to the employee’s deleted items folder.

The next step was to send an email from the employee’s account to the technology company. In the email, the fraudster explained that the recruitment firm had recently changed banks and that the previous invoice had mistakenly included the details for the firm’s old account. The email went on to say that the new bank account details could be found on the new invoice attached and that the payment for the recent placement of the Chief Operating Officer should be sent to the new account instead.

In order to ensure that the request looked legitimate, the fraudster used exactly the same invoice template as before, including the same company address and logo, with the only difference being the addition of the new bank account details. The fraudster also ensured that the new email formed part of the original email chain, as well as adding some subtle touches, such as mimicking the employee’s writing style and including the employee’s email signature to sign off the email.

With the email forming part of the original email chain and coming from the recruitment firm’s employee’s genuine email address, along with the same invoice template as before, the individual responsible for processing the payment at the technology company never doubted the legitimacy of the request. Assuming that the new account details were valid, the client business paid the $77,000 owed and believed that the matter was now settled.

It was only several weeks later, when the recruitment firm’s employee noticed that the invoice remained unpaid and contacted the technology company via phone, that the scam was revealed. The technology company contacted its bank and tried to see if the transfer could be recalled, but unfortunately it was too late and the funds had already been removed from the fraudulent account.

With the funds deemed unrecoverable, this meant that the money owed to the recruitment firm remained unpaid. However, as it was the recruitment firm’s employee who had had his email account hacked, and as the request to change the bank account details had come from his genuine email account and appeared to be legitimate, the technology company did not accept responsibility for the lost funds and was not willing to pay the invoice a second time, leaving the recruitment firm out of pocket to the tune of $77,000.

Fortunately, however, the recruitment firm was able to recoup the lost funds under the cyber crime section of its cyber insurance policy with CFC, which provides cover for social engineering style losses such as this.

Click here to download the case study.

Source: www.cfcunderwriting.com

Avoid Costly Phishing Scams

Posted on by

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

Spear Phishing: Targeted Cyber Crime

Posted on by

The word password hooked by fishing hook“Phishing,” a type of cyber attack in which a hacker disguises him- or herself as a trusted source online in order to acquire sensitive information, is a common scam that can put employees and businesses at risk. However, more resourceful criminals are resorting to a modified and more sophisticated technique called “spear phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses. And, when attacks contain personal information, they are much more difficult to identify as malicious.

For businesses, the potential risk of spear phishing is monumental. The 2015 Internet Security Threat Report released by Symantec Corporation, a company that specializes in security software, states that, globally, 5 out of every 6 large employers were targeted in spear phishing attacks in 2014, and that there was an average of 73 spear phishing email attacks per day.

How to Protect Your Business

Though it is difficult to completely avoid the risk that spear phishing attacks pose, there are ways to prevent further damage to your business. For example:

  • Be cautious when you are asked to divulge personal information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone. When in a Web browser, you can ensure a website is secure when you see a lock icon in the URL bar, or when an “s” is present in the “https” of a URL. The “s” stands for “secure” at the end of the normal “http”.
  • Some spear phishing schemes use telephone numbers, so be sure to never share information over the phone unless you initiate the call to a trusted number.
  • Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
  • Ensure that your company’s security software is up to date. Firewalls and anti-virus software can help protect against spear phishing attacks.
  • Encourage employees to think twice about what they post online. Spear phishing hackers often attain personal information through social media sites. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.

Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.

 

© Zywave, Inc. All rights reserved.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN