Hardly a day goes by without an email arriving in our inbox with an attached payment advice from some unknown third party, claiming funds are about to be deposited regarding a transaction we know nothing about.
Today it appeared to be from the Indonesian branch of Sumitomo Bank. The sender’s address looked legitimate and, like a scratch card or a lottery ticket, it is so very tempting to take a closer look at this potential “windfall”.
Opening the attachment will definitely reveal a surprise. In its simplest form it will ask for more information so that the transaction can proceed, what is known as “phishing”. At worst it will contain ransomware or other viruses which have the potential to cost you thousands, immobilize your systems and possibly even destroy your business.
Evidenced by the frequency of these emails, the maritime sector, with its multitude of documents and different parties, is unfortunately now recognised as a fertile hunting ground by a growing number of scammers, “phishing” being used by many of them. In this article we look at the increasing regularity of these attacks, what to watch out for, the various types of phishing and how to protect against them.
What is it? Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. <courtesy of http://www.phishing.org/what-is-phishing>
Some key phishing statistics from Proofpoint’s 2019 Report Protecting People: A Quarterly Analysis of Highly Targeted Attacks are:
Features to watch out for
Email remains by far the top means of attack by fraudsters and it relies on the fallibility of humans to succeed. Attackers rely on our curious nature, our weakness for a good deal and the speed of communication and, with that, the pressure to respond quickly.
Make sure everyone in your organisation is aware of danger signals that should help protect against the scammer who is determined to steal from or damage your business. Examples of these include the following:
IT’S TOO GOOD TO BE TRUE
Most business people will know who owes them money and to whom they owe money. If you receive an email from someone you don’t know – which should arouse suspicion anyway – saying they are about to transfer funds, it’s most likely too good to be true. The chances are there will be an attachment – which the scammer claims is some form of bank advice – that, on the contrary, contains quite the opposite to good news, most probably a virus. Don’t be tempted to open it, even out of curiosity, especially if it’s a zipped file. The flip side of this, again targeting the curious, is an email with an invoice attached, from a “supplier” you don’t know claiming that you owe them money. These tend to arrive during holiday periods when staffing is low or covering for those on vacation. Whilst on this subject of invoicing, it seems opportune to mention the following, most dangerous, variant:
This time imagine your email service has been hacked and the scammer is watching the correspondence in and out. Sadly, this is not so uncommon these days, we probably all know someone whose account was taken over and we received an email saying they were stranded in a foreign country needing money to get home. The scammer looks out for emails with invoices attached, both incoming and outgoing. At its most basic, the scammer intercepts an email from your supplier, substitutes the invoice having changed the bank details to their own, and then sends it on to you. You think it’s from your supplier and pay the money to the wrong account. To counter this, make sure your accounts department seek confirmation for all changes to payee details – both with a phone call to a member of staff of the supplier that they know, then confirmed in writing. Alternatively, one of your own invoices is substituted, your own bank details are changed to theirs and money intended for you ends up in the scammer’s account. Hopefully your customer will have internal controls in place, but for some protection you should consider making a bold statement on invoices and statements that there will be no changes to banking details without a separate, authorised statement being issued.
BADLY WORDED EMAILS
MISSPELT EMAIL ADDRESSES AND DOMAIN NAMES
Often there is a legitimate reason for these to be different, many of the newsletters we receive on a daily basis have such characteristics. However, again in an effort to convince the recipient that the sender is the legitimate company, a scammer can fake the sender’s address by changing the message header. It’s more difficult, or even impossible, to change the reply address and so the recipient should watch out for such differences when replying to emails – it may well be a scammer sending the email and not who you thought it was.
TIMING, A SENSE OF URGENCY
OTHER WARNING SIGNS
The different types of phishing
The cybercrime known as “phishing” is where the scammer poses as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Phishing is so widespread now that there are categories defining the different variations, some of which are described below. Each relies on human fallibility, which is why education and awareness is critical for the protection of organisations and individuals.
“Every individual and every employee in your organisation needs to be aware of phishing and to expect to be targeted, sooner or later”
It is interesting to see from the Proofpoint Report: The Human Factor 2018 at what times of day employees are most likely to respond to phishing emails, statistics that may help when communicating the nature of these risks.
Across all regions, 52% of clicks were found to occur within one hour of a message being received and within one minute of receipt 11% had already clicked on a malicious message. In North America the most vulnerable times are at the beginning of the day and lunchtime. In Europe employees are more likely to click at the start of the day, gradually reducing as the day progresses.
For those in your organisation who don’t know about the existence of these scams, make them aware.
“Remain vigilant at all times”