Notice: New attempt at phishing
By Diana Donohue
In recent months, ransomware senders have attempted to trick people into opening Word documents that look like Invoices or Receipts, but the new method seems to come from an irate person who has a charge from your company’s domain name (yourcompany.com, so to speak). There is also a Word attachment included which likely has some form of malware. Some spam filters will block this, but not all. In any case, the senders will become more savvy and find ways to bypass such filters. The body of the email is typically as follows:
What is this ****ing charge on my card?
I never visited or bought anything from your company.
I have attached a screenshot of my statement.
I want my money back!!!
I have attached my card statement, please get back to me ASAP.
Resist the urge to open the attachment. Contact your company’s helpdesk or fraud alert line if you receive this type of email. If this comes to your personal email delete the email without opening the attachment.
Have you heard of people being “harpooned”, taken in by a cyber whaling attack? A whaling attack is a type of phishing directed specifically at senior executives and other high profile targets within businesses, where a masquerading web page or email will take a more serious executive-level form. The email may appear to be from an executive or director of the company (CEO, CFO, Board member, etc.) emailing a member of the finance department requesting a money transfer out of the company. Or, it may be written as a legal subpoena, customer complaint, or executive issue. Whaling phishermen have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.
These types of attacks are increasing substantially and have generated billions of dollars for fraudsters in the past two years.
How can you protect against whaling attacks?
- Have good processes and controls in place for all payments, such as separation of ordering and payment processes, using approved purchase requisitions, paying based on an invoice, etc.
- Educate executives to not deviate from such standard payment processes within their company.
- Encourage an open and transparent company culture where a member of the staff (especially from HR or Finance) can call the CEO or CFO directly to check on questionable items.
- Learn how to identify potential threats and attacks.
- Educate executives and staff on the nature of such attacks and what to look for.
- Watch for odd requests, wording that doesn’t sound like it’s from the sender, typographical errors, links that don't make sense to normal everyday communications, and attachments that are not generally sent by the purported sender.
- Be suspicious of all unsolicited email.
- Never click through links or open an attachment in an email message from someone you don't know -- unless you initiated the email exchange.
- Implement email-embedded digital signatures throughout your company in addition to other security tools, such as spam filters, firewalls, and intrusion detection and prevention systems.
- Check with the sender to make sure he or she actually sent if an email that appears to be sent by a colleague but seems suspicious.
- Reinforce good behaviors when staff check to confirm the legitimacy of email requests, and otherwise follow appropriate policies and procedures.