The issue of phishing is widespread. As a process, this form of cybercrime attempts to acquire private information from an individual via email correspondence. The criminal who sends the email pretends to be from a reputable source and asks for a username, password or even credit card details to be shared. The sender will seem trustworthy, the request a fair one. Once these details, or even the money itself is delivered, you have given access to someone who really shouldn’t have it, and your system or accounts will be breached.
Phishing in general is done on mass, with over 150 million emails sent out globally every day, 8 million of which are recorded as being opened. The reach is vast in these attacks, with damaging software attached to each email sent out in the hope that an individual will download the attachment or click the link.
Targeted phishing is becoming more common as well. This method effectively uses social engineering to find specific targets to attack. The criminal will learn about the individual it intends to dupe and then use that intelligence to their advantage. This build-up of information helps to make the eventual correspondence seem more genuine, the request more plausible. It is through this familiarity that someone can truly be trapped, and the consequences can be extreme.
Leaked Construction Blueprints
One notable example recently involved a manufacturing company who found that their competitors’ construction equipment struck a distinct likeness to their own. Concerned that their blueprints may have been stolen and that other projects may be at risk, they called in a specialist investigation team to track where this important data may have leaked from. Through interviews with employees and stakeholders, the trail eventually led to the company’s chief design engineer.
What the investigators found was that the engineer had been searching for a new job, using the social network LinkedIn to connect and talk with potential recruiters. Social media is notorious for social engineering attacks, something that the engineer was not aware of. After several messages were sent back and forth, the fake recruiter eventually sent the engineer an ‘employee position listing’ document. This attachment contained malware that, when opened, allowed attackers to create a backdoor entrance to his system. This meant access to sensitive company data, including the blueprints.
Interestingly in this case, the blueprints themselves appear to have been sold to state-owned construction companies in China, leading investigators to presume foul play on the Chinese government’s behalf, rather than through unknown criminals. The whole case was a perfect example of social engineering in action. Through developing trust with an important individual within the construction company, the hackers were then able to access files that wouldn’t seem suspicious. As a high ranking individual, the chief design engineer had every right to view the data, which is why the fake recruiter’s presence wasn’t immediately obvious.
This is just one particular example, but targeted phishing is possible in a number of different ways. Once personal information has been acquired from a high ranking team member, any emails sent from them requesting that bills be paid, or money transferred, can seem far more legitimate. Names and addresses make you feel comfortable that you are able to click links and download files too, unaware that they could potentially be vicious malware. Suspicion is crucial. Only by understanding the dangers and questioning the motives of the sender can you feel safe against phishing attacks.
If you are a business owner who is concerned about your employees and how knowledgeable they are around cyber fraud, speak to us today. We can help you to inform and educate your workforce and ensure that all data that belongs to your company, stays that way.