In this part of business communication security we look at individuals trying to phish by pretending to be supervisors or managers. This type of phishing is a widespread and extremely dangerous form of cybercrime.
Contents
Real example
The latest example from last week in which a finance worker transferred USD 25 million is still under investigation. But the money is probably gone. An enormous amount of effort was obviously put into this phishing attack. Most cases are less spectacular, but there is always a high risk.
The attacker sent an email to the finance worker in which he pretended to be the CFO. The employee was suspicious at first and identified this email as phishing. Later, a video meeting took place in which he saw his CFO and other colleagues he knew personally. The supposed phishing mail was identified as authentic in the meeting and the finance worker transferred the money. However, it turned out that the meeting was a deep fake. The attacker probably manipulated the face and voice of the video conference using AI in such a way that the finance worker recognized his CFO.
You can read more about the incident on CNN. https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html
This is a very unusual case. Let's take a look at the two common methods attackers usually use.
The fraudulent e-mail attack
An employee receives an email pretending to be from their supervisor or manager. A public authority as the sender is imaginable, too. The email may ask the employee to disclose confidential information such as passwords, login details or financial information. Alternatively, the email could ask the employee to click on a malicious link or download an infected file.
We have already talked about this in our anti-phishing post. Often, these mails are easily detected as phishing attempts or are deleted by the spam filter. Email encryption would also be an effective means of preventing such cases. However, we should not always count on this. In the case of an email that encourages potentially harmful behavior, we should always consult with the sender. It is important that a different medium is used for confirmation. Face-to-face contact is best.
The social engineering attack
An attacker poses as a supervisor or manager and may contact an employee by phone or social media like WhatsApp. They may claim to have urgent requests and urge the employee to take immediate action, such as making money transfers or disclosing confidential information. We have already talked about social media security and discussed that phishing via social media channels are common.
In general, it is always important to check the sender information carefully. Be careful if your superiors seem to contact you with unknown phone numbers. Of course, it depends on the circumstances in the company, but it is rather unlikely that superiors will contact you via social media to do something critical for the business.
Don’t to agree to demands unless they have been confirmed by superiors. If personal contact is not possible, the representative or the manager should be contacted. This means you not only protect the company, but also yourself.
What else?
Attackers are extremely creative in luring their victims into traps. This can be observed in the many types besides of email phishing:
Vishing: This attack is performed via a phone call. Therefore the "V" (from the English "Voice") instead of the "Ph" in the name.
Spear phishing: targets a specific group or a person with a specific function, e.g. the system administrator of a company.
et cetera….
It is important to highlight that cybercriminals are constantly developing new tactics.
Conclusion
What are we going to do now?
We have already taken a step in the right direction! We raised our awareness against this kind of threat. However, we still need to look into the issue further. A holistic approach with regular training and updated security measures is a key to effectively protect against Pseudo-authorities.
P.S.
If it is confirmed that you have fended off an attack, ask your superior or manager to inform the IT department. Depending on the type of attack, IT could apply blacklisting guidelines to the system. This could prevent another attack.
Find us on social media as well!
