As long as there have been people, there have been scammers of some kind. Today, cybercriminals use the same technology email, instant messaging, chats, that helps everyone else in their daily lives. The only difference is that they use it for wrongdoing. The results of a recent JPMorgan Chase company hack prove it. The banking giant fell victim to a spear phishing attack.
The outcome of the JPMorgan Chase & Co., hack says that over 76 million user accounts were compromised. It is also very likely that other banks were breached by the same attackers. The breach of JPMorgan Chase should serve as a reminder that even large, sophisticated businesses can be breached by today’s phishing expeditions.
Attackers were able to penetrate JPMorgan Chase’s defenses and roam their networks undetected for months most likely due to one worker who fell victim to a spear phishing attack. Corporate security and hackers are engaged in an asymmetric fight right now. The good guys have to protect the entire enterprise while the bad guys only need a single point of failure to gain access, just one user to fall victim to a spear phishing attack and they are in.
The bad guys have the advantage
Anyone can claim to be a Nigerian prince from behind their computer screen and bilk unsuspecting targets for their financial information over email. All it takes is a valid email account – personal or otherwise. With the hacker’s advantage in mind, here are some tips to help avoid spear phishing attacks and prevent the attacker’s access to your firm.
Spear Phishing
Today’s phishing attacks are not the crude, typo-filled emails from Nigeria of yesteryear. Spear-phishers carefully research their targets. They will know your manager’s name, the names of your co-workers, and perhaps the projects you’re assigned to. This knowledge and detail make spear-phishing very effective.
No matter what the nature of an email account is, it is susceptible to all the dangers of the Internet. This is bad news for businesses that use email, and a lot of organizations out there fit that bill to a T. The more that a company uses email, the greater the chance that they will experience a data breach of some kind.
There is really nothing stopping a well-crafted phishing scam from appearing in a corporate inbox and fooling an unwitting employee. Here is a look at three of the email-based scams that could be threatening your business right now:
Vendor identity fraud
According to a report from Virginia TV station WHSV, the Better Business Bureau is warning businesses of a recent scam that targets this daily operation as a way to siphon money from corporate bank accounts. The BBB describes the attack:
As part of your job, you pay invoices for several of your business’s vendors … One day, you receive an urgent email from an executive in your company telling you to change how you pay invoices from a vendor. Instead of sending a check, you now need to wire the money straight to a bank account.
This phishing attack is made possible by malicious hacking. Cybercriminals break into company emails and gain enough information to impersonate one of the organization’s suppliers. Next, they send off the false email that tells some poor admin to wire the payment to the hackers instead of the supplier and leave businesses out hundreds of thousands of dollars depending on the nature of the vendor.
Hackers impersonate branch of FBI
Nobody likes being accused of crimes that they didn’t commit. This is especially true when the FBI is involved. But a new scheme involving the Internet Crime Complaint Center has many people thinking their arrest is imminent if they do not fork over a hefty fine via online transaction – something that is unheard of in real law enforcement agencies and that the FBI has been forced to address. DailyFinance contributor Mitch Lipka wrote:
The emails claim that the victim is the subject of a criminal report and that charges are forthcoming … They are then told that they have one or two days to respond or risk arrest, IC3 said. Those who respond are told they have to send money via prepaid cards if they want to avoid prosecution.
Fooled by “clients”
Lawyers are trained to always read between the lines and examine the fine print in legal documents, but what about in their supposedly secure communications?
This is one concept that has been inadvertently brought up in New Zealand thanks to a scam targeting law firms and their clients. There are plenty of things that can be done over email, but that doesn’t mean that they should be. Client and lawyer communications are one of these tasks. According to The National Business Review, criminals will pose as either a law professional or someone they currently represent, asking the opposite party to make a payment or carry out a transaction. This not only puts funds in danger but also sensitive information. This may land a law firm in serious legal trouble.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.