Dear <insert bank here> Customer - You’ve Been Phished!

We've all seen the emails; they look like they're from a legitimate source, maybe your bank, maybe the Financial Director of your company. They're usually simple enough, telling you that you need to verify some information, or that there's some problem with the money. The mail might be addressed to you directly, or be addressed to "Dear Friend". They might be very sophisticated, or simple in form. But they're all doing the same thing – trying to bilk you out of personal and banking information, or your money.

The FBI's Internet Crime Complaint Center (IC3) estimates that in 2014, almost $215 million US dollars were lost to this form of scam.⁠^[1] The scams are becoming more sophisticated, and harder to detect. It's easy to fall victim to them, and it's not just individuals that are being targeted. Large companies are losing money and personal information of their employees – even companies that you wouldn't expect. For example, Snapchat, Seagate (the hard drive manufacturer), and Mansueto Ventures (publishers of Inc. Magazine and Fast Company) were recently tricked into sending their employee's payroll and W-2 information out to scammers.⁠^[2]⁠^[3]⁠^[4] Ubiquiti Networks, Main Line Health, The Scoular Co., and Alaska Native Corp have all lost money after being scammed into transferring funds to offshore bank accounts, totalling into the tens of millions.⁠^[5]⁠^[6]⁠^[7]⁠^[8] Even IT security training company KnowBe4 was targeted!⁠^[9]

Gone phishing

The latest attack in the news was a very targeted version, called a "spear-phishing attack". It's become so prevalent this tax season, that the IRS recently issued a statement explicitly warning people to beware.⁠^[10] In this attack, emails are spoofed so as to appear to be coming from the CEO (or COO, or CFO, or a company president or director). They're aimed directly at people in the company that have access to sensitive information, like human resources and financial employees. These emails will often ask for personal information to be sent back, ostensibly for the Officer or Director to review. Wording will sometimes sound like this:

Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).

I want you to send me the list of W-2 copy of employee wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

In Canada, they would of course ask for the T-4 slips to be sent. Other emails will ask for funds to be transferred.

Don't process that transfer!

At zu, we've seen this approach first hand. One of our employees received an email that was spoofed to look like it was coming from one of our directors, and read:

Please let me know if you're available to process a transfer (this is a payment going out). And also, what are the information(s) you'll be needing to process it?

Luckily, everyone on the zu team is SMART AS A WHIP, and they knew right away that this was someone attempting the Bad Stuff.

Reeling it in

So how do we protect ourselves against these? Let's look at the example of the attack that was targeted at zu. How did our person know it was a scam?

1. First, the language. The email didn't have the same cadence and grammar that the person it said it was from normally used (of course, it helped that as a medium-sized company, we all know each other). This is a big first clue in helping to determine if an email is legit, regardless of the company. If it's doesn't sound like the language your CEO would use, question it!
2. Second, procedures. At zu, we have established procedures around purchasing. Usually they're used to help track spending, but in this case, the fact that they weren't followed launched another red flag. If your company has procedures like these, then ask yourself why the requester isn't adhering to them.
3. Third, training. Us IT Gurus at zu have warned everyone in the company about this sort of thing, and our co-worker recalled our talk. Your IT department has probably told you about this sort of thing. If you don't have an IT department, well, you've got us! (This is not an offer of IT service, I just meant this blog post!)
4. Fourth, communication. Even though this email had all the warning bells ringing, our targeted employee followed up with both me in IT, and the supposed sender. At zu, we're lucky in that we can do this easily; if we ever need to ask our CEO or CFO a question, we can throw something at them. Literally. If you don't have the same relationship with your C-levels, then take it up the chain of command. Ask a co-worker, a manager, or someone in your IT department to give the email the sniff test.
5. Fifth and finally, analysis. Once we decided that the email was fraudulent, we took a look at the email headers. This quickly confirmed that it was indeed fake; the email had a fake "From:" header, was sent from an email host that definitely wasn't ours, and had a return address to an unknown AOL email.

Damage control

But, after all that, what if we HAD succumbed to this attack? Well, quick action is needed to limit damage in these cases. The first thing to do is contact your HR and Financial peeps. Then, if it's a money transfer, you need to call your bank and have it stopped. Many banks will hold large transfers for a period of time because of situations just like this, especially if it's being sent to somewhere known to host similar scams. After that, it's to the lawyers, particularly if someone’s personal information is involved... but that's a matter for the HR wizards.

So now you're armed with the knowledge to save yourself and your co-workers from attacks. These attacks are getting more sophisticated all the time, so you'll need it, and you'll need to keep your eyes open for new techniques. Stay safe out there!

References

¹http://www.ic3.gov/media/2015/150122.aspx
²http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/
³http://techcrunch.com/2016/02/29/snapchat-employee-data-leaks-out-following-phishing-attack/
⁴http://www.businessinsider.com/fast-company-employee-data-hackers-email-scam-2016-3
⁵http://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/
⁶http://6abc.com/news/main-line-health-employees-info-compromised-in-email-scam-/1228291/
⁷http://www.omaha.com/money/impostors-bilk-omaha-s-scoular-co-out-of-million/article_25af3da5-d475-5f9d-92db-52493258d23d.html
⁸http://www.adn.com/article/20150506/38m-alaska-native-corp-money-sent-offshore-account-cyberfraud-attack
⁹http://krebsonsecurity.com/2016/02/phishers-spoof-ceo-request-w2-forms/
¹⁰https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s