Picture this scenario: A low to mid-level employee gets an email from the CEO. He needs the lower level employee to wire him money right away and provides wire transfer information. An important client is upset, and they need this money to keep the client satisfied. Or the CEO is traveling, his wallet was stolen, and he needs money to be able to get a flight home.
The lower-level employee, not wanting to disappoint their superiors or their clients, comply and wire the money quickly, and without question. Except it’s not the CEO. It’s a cybercriminal, this was a phishing attack, and now the company is out thousands of dollars.
This scenario plays out all the time in businesses all over the world. Phishing attacks like these prey on your sense of urgency to scam you out of thousands of dollars.
Here’s the thing: Cybercriminals aren’t always the super tech savvy hackers that they’re sometimes portrayed to be. They’re just skilled at using human nature against you. In many cases, these are also the cybercriminals who have done the research and know who to target.
Most employees want to do good work and fix problems quickly. These are great qualities to have – but they can easily be exploited. If you are in a hurry, you are more likely to make a mistake or miss a red flag – this is what cybercriminals are hoping for.
The attacks don’t need to look exactly like the one described above to prey on your sense of urgency (they don’t even need to be by email – you should take precaution with urgent requests over the phone and in person, too). Some common variations include:
The same scenario described above but replace wiring money with sending personnel files or customer files with personally identifiable information. These can be sold for a profit and used to steal identities.
An email alert from a software system or an app you use for work saying your account will be shut down in 24 hours if you don’t act now: These usually have a link that downloads ransomware or link to a site that looks legitimate but is used to steal your password. This is a really common scam targeting Office 365 users – we’ve written more about that here.
An email appearing from a co-worker who needs you to look at an attached file ASAP could actually be from a cybercriminal imitating your co-worker (that file is actually ransomware)
Where it gets more difficult to spot is when the attacker has gotten access to a legitimate account (in the case of the CEO impersonation attack, they could gain access to the CEO’s account). They usually get access to the account with a separate phishing attack (like the email alert from Office 365 saying your account will be shut down).
When this happens, the hackers will usually put in safeguards to try to stop questions of suspicious behavior. For example, they will create email rules to delete any replies from anyone else in the chain containing questions to verify the validity of the request to speed up the transfer of funds on this transaction.
What You Can Do to Stay Safe
You may be asking what steps can be taken to help prevent these attacks. First and foremost, slow down, even when the request you get is urgent. Beyond that, there are a few precautions you should take:
When someone requests something from you (whether it’s to send something to you or to click a link), take a sense of urgency on their part as a red flag. Of course, there are times when people are really in a hurry, but give any urgent request a second look.
Double check the language and formatting of emails. Poor grammar and spelling should be a red flag. If the request is coming from someone you interact with regularly, pay attention to things like their wording and email signature – does it match what they usually use?
- Double check the sender email and any links in the email before clicking on anything or responding to any requests. Attackers create domains that look like other domains to try to trick you. For example: Using emai1domain.com instead of emaildomain. At a glance, those can look identical.
Don’t ever hesitate to contact the parties involved in the email (or your IT team). A 2-minute phone call to make sure the request is legitimate could save you thousands of dollars.
- Require voice to voice or in person confirmation of wire transfers of large amounts of money. Do NOT allow any exceptions to this rule under any circumstances.
Implement multifactor authentication for every possible application and log in. This will prevent cybercriminals from accessing your account and using it in a more significant cyberattack even if they have your password.
Make cybersecurity training part of your employee training. Social engineering-based attacks, like phishing, don’t always get caught by spam filters (especially when hackers have access to your coworker's real account). The only way to stop them is by knowing what to look for.
Foster an open environment around data security throughout your entire organization. Employees need to feel comfortable asking questions and raising a hand when they see something suspicious.
Some of these steps may seem like they will slow your productivity down, but it won’t be anything compared to the loss of productivity (and money) due to a data breach.