Hackers using phishing attacks as a security breach method are often sending email messages to users giving the impression they’re representing a company you’re conducting business with, such as a financial or banking institution, or a web service you’re using.
Common Phishing Attack Tactics
Although the general perception is phishing attacks look fake and everyone can recognize them by just scrolling through the message, hackers have evolved since the 1990’s, together with their attack tactics.
Here are some of the most common phishing attack tactics used today:
- You friend sends you an email from a foreign country asking for some money to get back home because he lost his wallet.
- Malicious websites hidden behind a fake news story covering a trending topic. “Naked celebrity photos”, click to see more, is a good example.
- Warning from the FTC (Federal Trade Commission) or the FDIC (Federal Deposit Insurance Corporation) about the current state of your bank insurance coverage.
- Ransom emails with clear threats towards the recipient of the mail or a member of his close surrounding.
- Confirm your complaint. But, I haven’t submitted one … (click) … Malicious website. If you haven’t filed any complaints, don’t click on mails that claim you have. Simple as that.
Corporate Phishing Examples
Since 2010 more than 15 thousand businesses lost around €465m due to phishing attacks. Some of the biggest names on this list included companies in the likes of Michelin and Nestle.
The biggest fraud was for €32 million, and a further €830 million could have been stolen if more phishing attacks had proved successful.
Ubiquiti Networks is a US based company that’s operating in the wireless networking industry, so you would assume they keep certain “high security” culture over there. Even if they did, phishers managed to get slightly less than $40 million thanks to the Bogus Boss Scam.
The Bogus Boss Scam
Carole Gratzmuller and her Etna Industrie company were victims of a pretty unique phishing scam. An email has been sent to the accountant with Ms. Gratzmuller’s name in it, saying Etna Industrie is buying a company in Cyprus.
The content of the email was tailored in such a manner that placed the accountant in a situation where she didn’t want to contact her boss directly as the deal was already approved by him.
Carole’s goal in this case was to get the job done as soon as possible because she thought that’s what her boss wants.
The Carole Gratzmuller example is a new type of phishing scam called the Bogus Boss Fraud. Sophisticated new variation on those old phishing emails which claimed to come from one of your friends.
The CEO scammers’ procedure is to contact a member of the accounts team of the target firm and spin them a line about a secret takeover deal, then tell them that a large sum of money needs to be transferred from the corporate accounts without telling anyone else.
No-one likes to gainsay the boss, and scammers take great care to ensure that the emails they send really look like they have come from a senior figure in the company. Targets are carefully chosen so they are important enough to approve substantial sums, but they’re at the same time not a part of the decision making chain.
Stats Don’t Lie
Even the FBI got involved into the hunt for phishing attackers. According to the research they’ve conducted over the past two years, the Bogus Boss Fraud attacks singlehandedly scalped companies worldwide for a sum larger than 2 billion US dollars.
The largest sum was $90 million, while the average loss accounted for $120 thousand.
Next time you see a message from your boss in your inbox make sure to double check the sender’s mailing address to avoid sending corporate money to hackers.