Phishing Awareness

Dear team,

To further enhance our company’s cyber defenses, we want to highlight a common cyber-attack that
everyone should be aware of – phishing.

"Phishing" is the most common type of cyber-attack that affects organizations like ours. Phishing attacks
can take many forms, but they all share a common goal – getting you to share sensitive information such
as login credentials, credit card information, or bank account details.

Although we try our best to maintain controls to help protect our networks and computers from cyber
threats, we rely on you to be our first line of defense.

We’ve outlined a few different types of phishing attacks to watch out for:

• Phishing: In this type of attack, hackers impersonate a real company to obtain your login credentials.
You may receive an e-mail asking you to verify your account details with a link that takes you to an
imposter login screen that delivers your information directly to the attackers.

• Spear Phishing: Spear phishing is a more sophisticated phishing attack that includes customized
information that makes the attacker seem like a legitimate source. They may use your name and phone
number and refer to [COMPANY NAME] in the e-mail to trick you into thinking they have a connection to
you, making you more likely to click a link or attachment that they provide.

• Whaling: Whaling is a popular ploy aimed at getting you to transfer money or send sensitive
information to an attacker via email by impersonating a real company executive. Using a fake domain
that appears similar to ours, they look like normal emails from a high-level official of the company,
typically the CEO or CFO, and ask you for sensitive information (including usernames and passwords).

• Shared Document Phishing: You may receive an e-mail that appears to come from file-sharing site like
SharePoint alerting you that a document has been shared with you. The link provided in these e-mails
will take you to a fake login page that mimics the real login page and will steal your account credentials.

What You Can Do

To avoid these phishing schemes, please observe the following email best practices:

• Do not click on links or attachments from senders that you do not recognize. Be especially wary of .zip
or other compressed or executable file types.

• Do not provide sensitive personal information (like usernames and passwords) over email.

• Watch for email senders that use suspicious or misleading domain names.

• Inspect URLs carefully to make sure they’re legitimate and not imposter sites.
• Do not try to open any shared document that you’re not expecting to receive.

• If you can’t tell if an email is legitimate or not, please [INSERT COMPANY PROTOCOL].

• Be especially cautious when opening attachments or clicking links if you receive an email containing a
warning banner indicating that it originated from an external source.

Thanks again for helping to keep our network, and our people, safe from these cyber threats. Please let
us know if you have any questions.

Regards, [NAME]
DEFINITION OF BUSINESS E-MAIL COMPROMISE
Business e-mail compromise (BEC) is when an attacker hacks into a corporate e-mail
account and impersonates the real owner to defraud the company, its customers,
partners, and/or employees into sending money or sensitive data to the attacker’s
account.

BEC is also known as a “man-in-the-email” attack. This is derived from the “man-in-the-
middle” attack where two parties think that they are talking to each other directly, but in
reality, an attacker is listening in and possibly altering the communication.

HOW BUSINESS E-MAIL COMPROMISE WORKS

A BEC scam starts with research. An attacker will sift through publicly available
information about your company from your website, press releases, and even social
media posts. He/she might look for the names and official titles of company executives,
your corporate hierarchy, and even travel plans from email auto-replies.

The attacker will then try to gain access to an executive's e-mail account. To remain
undetected, he/she might use inbox rules or change the reply-to address so that when
the scam is executed, the executive will not be alerted.

Another trick is to create an e-mail with a spoofed domain. For example, the attacker
might use john.smith@samp1e.com instead of john.smith@sample.com,
or john.smith@believeme.com instead of john.smith@beleiveme.com.
If you do not pay close attention, it is easy to get fooled by these slight differences. One
of the most famous spoofed domain tricks ever was the “PayPa1.com” – a scam site
imitating money transfer website Paypal.com.
After scouting corporate communications for some time, the attacker will probably have
a good idea of scam scenarios that might work. For instance, if the company has a lot of
suppliers, he/she can send invoices to accounting for the rush payment of materials.
The attacker would know who is responsible for wire transfers and be able to craft a
convincing scenario that would require the immediate transfer of funds.

MOST VULNERABLE TYPES OF BUSINESS E-MAIL ADDRESSES

While a BEC scam can target anyone in the company, high-level executives and people
working in the finance department are the most likely targets. According to Krebs on
Security, phishing attacks that spoofed the CEO or company director were among the
most costly scams reported in 2016. “Whaling” and “CEO Fraud” are two emerging
terms used to describe the phenomenon of targeting high-level executives, and are
typically more difficult to detect than traditional phishing scams since they are so
targeted.
EXAMPLES OF BUSINESS E-MAIL COMPROMISE
Some of the most prevalent examples of BEC scams are:
 The fraudulent invoice scam is when a cybercriminal uses an employee's e-mail to
send notifications to customers and suppliers asking for payment to the cybercriminal's account.
 The fake boss scam is when a fraudulent email is sent from a business executive’s
account to employees instructing them to urgently transfer money from the corporate account to
the criminal's account.
 The fake attorney scam is when a lawyer's e-mail address is used to contact clients,
asking that they pay money immediately to keep things confidential.
However, business e-mail compromise attacks do not only involve money; sometimes,
attackers seek PII or trade secrets.

GO DEEPER
Microsoft Office 365 Security

READ MORE

SCOPE OF BUSINESS EMAIL COMPROMISE

One high-profile BEC case involved a Lithuanian cybercriminal that used the e-mail
addresses of suppliers. Companies that were targeted include Apple and Facebook. By
impersonating suppliers, the hacker was able to steal $100 million in two years. In
another case, the FACC AG CEO was fired after such an attack cost the
company $54 million.
Business e-mail compromise attacks have already cost U.S. businesses at least $1.6
billion in losses from 2013 to the present. According to the Federal Bureau of
Investigation, that number could easily be as high as $5.3 billion around the world.
In 2016, there were at least 40,000 incidents of business e-mail compromise or other
incidents that involve e-mails—an increase of around 2,370% since January 2015. In
the second half of 2016 alone, the FBI reported more than 3,044 victims in the United
States, with a combined loss of around $346 million.

Where does most of the money go? Most of the victims are told to send the money to
an Asian bank, usually in Hong Kong or China, or a bank in the United Kingdom.

BEST PRACTICES FOR PROTECTING AGAINST BUSINESS EMAIL

COMPROMISE
Business e-mail compromise attacks are successful for three main reasons:

1. Insufficient security protocols

2. Social engineering

3. Lack of employee awareness

Multi-factor authentication should be implemented as an IT security policy. This will help
prevent unauthorized access of e-mails, especially if an attacker attempts to login from
a new location. In addition to stronger security protocols, employee education is also
important. Employees should be trained on identifying fraudulent e-mails. Always be
skeptical of urgent and rush money transfer requests, especially from C-level
executives, and verify those requests, either by phone or in person.

Tags: Data Protection 101

VERY IMPORTANT

https://www.aarp.org/money/scams-fraud/info-2019/business-email-compromise.html

planning.engineer@plantgeria.com

@Dqiv26#pp53