Phishing for Fun and Profit

Phishing for Fun and Profit

Phishing is one of the most common criminal frauds reported at the moment. Attacks are becoming ever more sophisticated, with criminals going to greater lengths to succeed. Over the past couple of years, use of the fraudsters’ favourite tactic has doubled, so how exactly does it work?

In a phishing attack, a criminal sends you an email or other electronic communication such as an instant message, pretending to be someone you trust. The message tries to persuade you to give the criminal money or information they can use to gain access to or control of your network.

The phishing attack may use another tactic called email spoofing in which the criminal’s email address is altered to look the same as, or very similar to, the address of someone you trust.

Phishing attacks can be very basic generalised emails, or they can be much more targeted.

  • Spear phishing is directed at an individual, or small group of people, typically all of the workers in a company’s accounts department.
  • Whaling uses the same type of tactic, but in this case, they are (as the name implies) going after the big fish, such as your Managing Director or senior financial staff.

In either case, the criminal responsible for the attack will have done some research on the target; perhaps looking at the company website, checking other company information online, or even calling the target company posing as a potential client or supplier.

A recent example saw an accounts clerk contacted in an email by her Managing Director and asked to make a payment to a supplier, as quickly as possible. The email even mentioned that another staff member in the accounts department, who would normally process the payment, was off on sick leave. The criminal had gone to the trouble of researching the names of people in the relevant departments and then called the company and asked about them, which gave them additional and very useful information. This is a classic piece of Social Engineering. Thankfully, the accounts clerk smelled a rat and called us for advice. We immediately spotted that the real sender was not the MD and that the email address had been spoofed. Lots of companies haven’t been as lucky and this type of crime is now a multimillion-pound criminal industry.

You can act to reduce your exposure to this kind of crime and we are here to help you toughen up your security.

Here are a few tips from our own security experts at Active IT:

  • Think about what kind of information you publish online. Do you really need to identify all your staff with a job title and photograph? Remember that a good deal of information can be drawn from Companies House and other official and publicly available documentation.
  • Keep your IT User policies and your Financial Control policies up to date and ensure that these are read and understood. Your staff can be your greatest weakness, or your best defence against crime.
  • Develop a security policy to cover communication of company information. Should you really be telling cold callers which staff member handles financial transactions, credit card payments or purchasing? You’d be amazed how easy it can be to get this information in a casual telephone call.
  • Pay attention to the messages you get from the security systems and software you have in place. They will very often flag up emails which look like fraud attempts.
  • Think about running a security penetration exercise to test your defences in a safe way.