Protecting Against Phishing and Spear-Phishing Attacks

Most people have been on the receiving end of Phishing attacks. Phishing is an email-based fraud attack where the sender appears to be a trusted source that the recipient may interact with – a bank, a credit card company or a mobile phone firm are common examples. The email may ask the recipient to provide sensitive data, or link to a website login or password reset form, often in an effort to gain account credentials.

Spear-phishing is an email-based fraud attack where hackers impersonate senior company executives or trusted partners to steal funds, gain access to sensitive business data or login credentials. Whilst phishing campaigns frequently send emails to many people and hope to catch a few, spear-phishing campaigns are highly targeted.

Spear-phishing often involves mandate fraud, where someone gets you to change a direct debit, standing order or bank transfer mandate. They do this, by pretending to be an organisation you make regular payments to, for example a subscription, membership organisation or business supplier.

In this scenario, as a business you are contacted by someone pretending to be one of your suppliers and told they have changed their bank. They ask you to amend the direct debit or payment details to reflect this. As a result the bank mandate is amended to the account that was provided. Unaware, you are subsequently contacted by your genuine supplier asking what has happened with the expected payment.

This type of fraud is usually targeted and involves perpetrators gaining knowledge about the victim beforehand in order to make the scam more convincing. For example, an urgent payment request that appears to come from a senior employee within your organisation might coincide with that individual going on leave. Fraudsters piece together lots of small details, such as employee leave details or supplier names, in order to create convincing narratives that carry a higher chance of tricking victims.

Increasingly we see cyber-criminals targeting poorly secured email accounts to gain specific knowledge of victims and their partners.

What can you do to protect yourself?

There are several common ways to spot to phishing emails.

• Inconsistencies in email addresses, company domain names and URLs.
• Frequently, the domain in the sender’s email address is not an exact match for the genuine company.
  URLs in the text of an email may not match the actual link address, which can be seen by hovering the mouse cursor over the link.
• Requests to enter personal information into forms on a website are unusual from legitimate companies.
• Phishing emails often use the threat of negative consequences to pressure recipients to act. Messages may suggest that users must login to prevent money from being lost, accounts from being closed, or legal action from being taken against them.
• Many phishing emails include misspelled words, unusual language and poor grammar.
• Less targeted phishing emails will typically not use the recipient’s name within the email, using a salutation like “dear customer” instead.

Spear-phishing emails can be harder to spot

Spear-phishing email recipients are usually higher value targets who have the potential of providing data or taking actions that can deliver a significant amount of money, access or data to the attackers. Because of this, attackers may research targets and use information from the web and social media to allow them to write a emails with sufficient enough detail that the recipient believes it’s from a trusted source. An email may be part of a spear-phishing attack if:

• It makes an urgent request for the recipient to share information, download a file, initiate a wire transfer or open an attachment.
• The domain in the “from” address is not an exact match of the company’s domain – small changes that are easy to miss on a quick inspection e.g. john.doe@multiple.com might become john.doe@multilpe.com
• The email contains “disguised links” where the link’s real address (which can be seen by hovering the cursor over the link) is different than the text for the link that appears in the email.

Unfortunately, phishing tips alone can’t protect an organisation from phishing and spear-phishing attacks 100% of the time.

That’s why EJC recommends anti-phishing technology as part of a comprehensive solution for email security, archiving, continuity and compliance. We use a cloud-based subscription service from Mimecast. Their anti phishing software scans all inbound email in real-time to look for anomalies in headers, for domain similarity and for suspect content in the body of an email. Mimecast also inspects character sets in the email domain name to look for differences that users may not be able to spot. Suspect emails can be discarded, quarantined or sent onto the user with a warning that the male may be suspicious.

Practical steps to avoid mandate fraud

And in addition to being vigilant and using technology to mitigate the risks, follow take these practical steps to avoid Mandate fraud:

• Verify all invoices, as well as requests to change bank account details.
• To check that a request is legitimate, contact the supplier directly using established contact details you have on file. Never use any of the contact details contained within letters/emails received.
• Request verification that might include both the previous and new bank account information, details of previous invoice values, references and payment dates.
• Don’t reply to the emails which request the change; whilst many email addresses appear genuine often there is a minor change. Either start a new email chain by entering the email address, checking the address character by character, or by finding an old email you know is genuine and starting a new chain from there.
• Don’t feel pressured to disclose information. Bank Mandate Frauds are often accompanied by routine conversation followed by a ‘switch in tempo’ and an urgent request. Nothing is so time critical that it can’t wait until you have verified who you are dealing with.

Finally, as we mentioned, hackers frequently target email accounts. So take these steps to protect your email:

• Always use strong passwords
• Secure accounts with multi-factor authentication
• Where available enable account protections that look for suspicious behaviour and patterns
• Ensure devices that have access to your email are also secured using passwords and encryption and any installed software regularly updated