A personalised and targeted email, an opportune offer and the impersonation of multiple brands – some of the techniques employed by cybercriminals in a phishing email scam that resulted in a property buyer losing thousands of dollars as part of a ‘deposit’, supposedly for his new apartment.
I recently read about this scam in an Australian Financial Review (AFR) exclusive which detailed how a cyber-attack on online property platform Domain enabled cybercriminals to fraudulently access personal information, including email addresses and phone numbers of customers, along with details of property inquiries made. Scammers then used these details to launch a targeted phishing attack against a customer who had been looking at buying properties in Canberra, using the lure of a new apartment listing.
This phishing scam is a good example of how data stolen from a previous cyber-attack can be used to commit further crimes. Importantly, it’s also a reminder of the power of techniques like social engineering, and a case study on how cybercriminals play mind games and exploit human psychology, to trick users. Attacks like these aren’t new, but their continued success shows that much more can be done to proactively review & enhance our cyber defence measures, including educating our teams about how cybercriminals draw on human nature and daily interactions to trick us. I’ve observed time and time again that the more mundane and believable the approach, the more likely it is to succeed.
The power of social engineering
In 2019, a man in Lithuania pleaded guilty to stealing $123 million by singlehandedly orchestrating widespread business email compromise (BEC) scams that targeted Google and Facebook. By registering a fake company that masqueraded as a legitimate supplier to the two tech giants, he was able to forge invoices, contracts and letters that made his requests appear legitimate to their unsuspecting recipients.
The fact that even two of the most cutting-edge tech giants in the world were susceptible to BEC attacks should serve as a wake-up call for security teams everywhere. These are companies with vast resources and professionals who are likely to have received intensive training in cybersecurity. The lesson is simple – if it can happen to them, it can happen to any company, and with catastrophic and widespread consequences. Even intelligent, cyber-savvy C-suite executives are not safe, when targeted with a cleverly worded, socially engineered email. Smart cybercriminals understand this and often target not only professionals within companies, but specifically the C-suite execs of those companies, knowing they are custodians of large amounts of money & valuable data and are hence lucrative targets.
I’ve seen the gamut of social engineering techniques throughout the course of my career. However, most attacks fall into a few distinct categories. Here are three common ways that social engineering scams (including the one on the Domain customer) trick users. With cybercrime increasingly relying on these techniques, I encourage you to share them with your teams to boost their awareness about how to stay protected:
Using “breadcrumbs of information”
Elaborating on the techniques employed by the phishing email scam which targeted the Domain customer, the AFR article stated that “social engineering relies on human psychology rather than hacking. A criminal can use small breadcrumbs of information to appear legitimate and manipulate somebody into giving up confidential information or, in this case, money”.
Indeed, before launching an attack, scammers typically conduct thorough reconnaissance to gain these “breadcrumbs of information”, including researching the companies and individuals involved, the way they interact and the type of messages they exchange.
A recent BEC scam impersonating construction companies in the U.S. is a good example of this. The FBI warned earlier this year that cybercriminals were sending malicious emails that exploited “construction companies' ongoing, completed, or awarded business relations to defraud their private and public sector clients”.
The cybercriminals behind this BEC scam used “various tactics (including social engineering and phishing) to compromise or impersonate business email accounts with the end goal of redirecting pending or future payments to bank accounts under their control,” the FBI stated.
“To successfully pull off these BEC attacks, the scammers use information collected via online services on construction companies they impersonate and the customers they're targeting. Platforms used for harvesting valuable data (e.g., contact info, bid data, and project costs) include local and state government budget data portals, as well as subscription-based construction industry data aggregators. The information harvested by the attackers allows them to custom-tailor emails designed to exploit the business relationship between the victim and the construction contractors”.
In fact, I’ve seen that in some targeted phishing emails, there is in-depth confidential information within the email that only someone with the right authority would be privy to. This includes the company’s banking details, registration numbers, specific email addresses, and so on. We’ve found hackers are obtaining all this information by gathering data on the company and individuals involved via the Dark Web or from previous data breaches. Information stolen from the Domain cyber-attack, for example, enabled cybercriminals to send phishing emails to a customer about a new apartment listing – a listing which, conveniently, met the customer’s exact requirements.
Besides previous data breaches, much of the information that the attackers require is typically also available from company websites and social networks like LinkedIn. The scammers can gather the organisational structure, contact details, location and role titles of executives and employees. Information like this enables cybercriminals to direct their attacks at specific targets, using language that won’t raise any red flags, like in the example below:
Exploiting current trends
The Australian Competition and Consumer Commission (ACCC) found in its latest Targeting Scams report that “Australians lost over $851 million to scams in 2020, a record amount, as scammers took advantage of the pandemic to con unsuspecting people”.
“We saw scammers claiming the government restrictions meant people could not see items in person before purchase. This was a common ruse in vehicle sale and puppy scams, which both had higher reports and losses,” ACCC Deputy Chair Delia Rickard said.
Cybercrime has always been conscious of local trends, current news and climates – and the COVID-19 pandemic was a good reminder of this. Scams this year continue to be COVID-19 themed, using the pandemic and the disruptions it caused to trick users. Going back to the phishing attack targeting the Domain customer, it is likely that cybercriminals knew he wouldn’t be able to travel to Canberra to inspect the new apartment listing in person. That is probably why the customer didn’t suspect anything was amiss when all apartment details were provided over email (via photos and a YouTube video tour).
Socially engineered scams work because they hack into the minds of users, and unfortunately, right now, the odds of this hack being successful are sky-rocketing. Cybercriminals are exploiting the immensely fragile psychological state of many professionals who are dealing with a torrent of unprecedented challenges triggered by the ongoing COVID-19 pandemic. These professionals are likely navigating changes to work processes while working in remote environments (all against the backdrop of a global health emergency) and may not be able to immediately contact or get in touch with their colleagues to verify the legitimacy of any unexpected, urgent requests. It won’t be surprising for someone in the finance department to receive an email, supposedly from the CEO, requesting an unexpected bank transfer, like the below:
Employing well-known brand names
Brandjacking is a term I use when cybercrime groups hijack the trusted relationships that we all have with major brands and companies. Essentially, brandjacking is a kind of forgery. Having realised the powerful influence and impact of brands on the minds of consumers, scammers often exploit the trademarks of well-known & trusted companies to deceive users. The AFR article on the phishing attack targeting the Domain customer revealed that scammers referenced several well-known brands, including Booking.com and online restaurant reservation service OpenTable, in order to convince the customer of the legitimacy of both the ‘apartment’ and the deposit payment process.
At MailGuard, my team regularly intercepts malicious emails impersonating well-known brands like Microsoft, Netflix, DHL and even government agencies like the Australian Taxation Office because their good reputation lulls victims into a false sense of security. Playing on the fact that we’re all time-poor, with full inboxes, cybercriminals are hoping we won’t think twice about clicking emails from the brands we know and trust. Here’s our hit list of brands that are frequently mimicked by cybercriminals.
In fact, scammers are investing more time and effort into producing communications that look authentic, just like those from the brands they are impersonating. In some instances, senior graphic designers and/or legal experts are being employed by cybercriminals to design contracts and to use high quality design and branding elements within the emails.
There are several means to defend your company from psychological cyber-warfare. You’re probably doing these already, but it doesn’t hurt to go through them to ensure they’re in your current cybersecurity strategy.
Train your teams
If you want your team to participate in making the business safer from hacking and cybercrime, you have to give them the knowledge to make good security choices. This includes being able to, firstly, identify cyber scams when they receive them. It doesn’t just happen; it’s a matter of generating awareness throughout the entire team and empowering them to think of themselves as the first line of defence.
Ongoing education is the key to enlightening your staff on the ground. This may be in the form of workshops, meetings, guest speakers, cross-functional teams, tests, and plenty of resources available on your intranet, including weekly cybersecurity updates. You can refer to external resources as well. MailGuard’s blog, for example, is regularly updated with the latest email threats that we see popping up, along with thought leadership articles on the current cyber landscape and how to navigate it.
Fortify your defences
We know that spending on cybersecurity should be a combination of the right technology and education. Just keeping your antivirus software up to date is not going to cut it, and likewise, giving your employees comprehensive knowledge on being cyber-savvy without having strong technological defences in place won’t work either.
Nine out of 10 cyber-attacks start with an email, even when most businesses have an email security solution in place. Precisely because email is a critical tool and arguably the most important means of communication among many businesses, it is imperative for businesses to consistently review their email security strategies to ensure they’re doing all that they can to stay safe. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to complement Microsoft 365. For more information about how MailGuard can help defend your inboxes, reach out to my team at email@example.com.
This time, a Domain customer fell victim to a socially-engineered phishing email scam. Next time, it could be an employee from your business, using a work computer, potentially allowing cybercriminals to infiltrate corporate networks, and leading to disastrous consequences. Let this attack be a reminder of the need to ensure your business’ cyber defence strategy encompasses all of the elements required to beat cybercriminals at the mind games they’re playing.
What are you doing in your business to defend your systems against socially engineered attacks? Share your thoughts below.