Phishing scams are not uncommon. Years ago, the "Nigerian Prince" versions of phishing attacks targeting as many people as possible, hoping to get a few people to fall for it. These days, cyber criminals put in a bit more effort and do their research on their potential victims first.
We’ve seen a phishing scam going around recently targeting companies will high-level employees who are out of office (we’ve even experienced it first hand). The scammers are using this as an opportunity to try to get lower level employees to wire large sums of money to this.
Recently, a customer of ours was targeted by this kind of scam. Here’s what happened to this them:
1. The CFO posted about being out of office on social media accounts.
2. The scammer sent the CFO a gibberish email to get an out of office reply. Like most people, the CFO had a backup contact listed in her out office reply.
3. The scammer sent a phishing email to the backup contact, which appeared to be from the CEO. The email said “The CFO is out of the office. I need to you to wire $25,000.”
Thankfully, the backup contact had been through our data security training and recognized this as a phishing scam and did not transfer the funds.
We experienced what we believe is someone targeting us for a similar scam. Some of our team attended the Microsoft Inspire Conference. While out of the office, the team that went (including our CEO), posted about the conference on social media accounts.
Within a few minutes of each other, both our marketing manager and CEO received gibberish emails from the same email address. Another email (from a different sender) was sent to the CEO along with several other people at other companies – all of whom were likely to be at the same conference.
The scammer then emailed several other leadership team members in our organization (likely using our team page on our website or LinkedIn to find out who to target).
For us, the scam stopped at the point of sending of the gibberish emails. Most of our team either don’t use an out of office, or we gave our Support email as an alternate contact when out of office. The scammer may just have given up when they didn’t get an easy target – especially since it seems like in our case, they were targeting multiple companies at the same conference.
Another version of this scam we’ve seen in the past appears to be from the high-level employee who is out of office. The email will claim they’ve lost their wallet and needed someone to send them money via wire transfer.
We’ve also seen scammers ask for files instead of money. These typically go to HR team members and ask for personnel files, which the scammers can then sell on the black market. These also tend to raise less red flags since they’re aren’t outright asking for a large sum of money.
What You Can Do
When you’re going to be out of the office, take a few precautions. Be careful about telling others when you’re not there. If you can, avoid posting about it on social media account. Consider not using an out of office or not giving an alternate contact.
Realistically, that’s not going to be possible for most people, especially if you’re in a customer-facing position. If that’s you, make sure your alternate contact is aware they may be targeted in a phishing scam and make sure they know what to watch out for (we’ve covered phishing scams and some common warning signs in this blog).
If you do get a strange, gibberish email, sound the alarms to your team to watch out for potential phishing attempts.
Require a verbal confirmation of ANY request for wire transfers or sending of any documents containing sensitive information (requiring a code word can work as an alternative). This is a best practice for all the time since phishing scams aren’t limited to out of office scams.
Phishing scams can target anyone in your organization. Scams like these targeting lower level employees are not uncommon – everyone in your organization should be trained for what to look for and what to do if they believe they’re being targeted by phishing.
If you are a PTG Cloud customer, we can also set up rules in Office 365 to reduce phishing attempts. There are some potential downsides to this approach that need to be taken into consideration – so reach out to your Customer Success Manager to determine if these may work for your business.
If you’re interested in training or testing your employees to see if they can spot a phishing attempt, please reach out to us!