16 business email/mobile phishing tricks to be aware of in 2019
Introduction
It’s hard enough running a business without a cybercriminal trying to ruin it. According to PWC, in 2018, 49% of organizations across the world have been a victim of fraud and economic crime; this is up from 36% in 2017.
Business email and now mobile messaging apps are a mainstay of communications and a conduit for business phishing tricks. Fraudulent phishing emails are a continuing issue that organizations need to be aware of, to reduce the impact of cybercrime on their bottom line.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Here are 16 of these phishing tricks to watch out for in 2019.
1. Business Email Compromise (BEC)
The U.S. Treasury Department’s July 2019 report found that BEC costs U.S. companies around $300 million per month. Business Email Compromise uses social engineering, including spearphishing emails and surveillance of a company and employees. The scammer will often impersonate a company executive such as a CEO. The result is usually the transfer of money, sometimes millions of dollars.
2. Fake billing scams
During 2018, Australian companies lost over AUD 5 million due to fake billing scams. The scam tends to target smaller businesses. The fraudsters con a company into paying for spoof services. The scam works by sending an invitation, via email, to renew a company web domain or to list in a trade magazine.
Scammers focus on the administration department, as they are less likely to be aware of business activities and hopefully (for the scammer) pay the “bill.”
3. Office 365 scams
Microsoft Office 365 is a popular tool for businesses. Therefore, it is also popular with cybercriminals.
A recent report by VadeSecure found that Office 365 was the number one brand for phishing for login credentials. The scam uses the usual tricks of the phishing trade, links to a fake Microsoft Office 365 login page within a phishing email that then harvests the login username and password to hijack an account.
4. Virtual office voicemail scams
This scam targets businesses who use virtual offices that send out voicemail messages via email. The scam is in the form of an email with an attachment (the supposed voicemail). Attachment formats vary, but typically it will be an .HTML file.
If the recipient clicks on the attachment, it opens a spoofed form asking for some personal information and a password to access the voicemail. Once the data is entered, it will be sent to the cybercriminal behind the scam and used for account hijacking/resale purposes.
5. TrickBot/TrickBooster banking Trojan
Banking malware, such as Trojans, has increased by around 16% in 2018 according to Kaspersky. Banking Trojans infect computers to steal bank login credentials.
Trojans such as TrickBot specifically target business users and were the biggest banking threat to businesses in 2018, according to Malwarebytes. The Trojan is delivered via an email or SMiShing (text message phishing) campaign.
More recently, a new variant of TrickBot called TrickBooster has been used to harvest email credentials from around 250 million email accounts. The hijacked accounts are then used to propagate the malware.
6. Spearphishing scams
Targeted phishing campaigns or “spearphishing” continue to be a serious issue. Symantec found that over 71% of cyberattacks used spearphishing emails. This form of phishing typically targets privileged users, like system administrators, to obtain login credentials to sensitive resources like servers or databases.
7. Dropbox phishing
The Software-as-a-Service offering, Dropbox, is very popular amongst business users who use it to share and collaborate on company documentation. The global scale and capacity of Dropbox is massive, with around 500 billion pieces of content uploaded.
Scammers use email phishing tricks to attempt to harvest Dropbox credentials and steal accounts and documents. The emails link to spoof Dropbox login pages where, if a username and password are entered, they are sent directly to the cybercriminal behind the scam.
8. W2 tax scams
Tax season brings out the scammers in the form of W2 tax scams. The attack typically involves the fraudster creating a spoof email account that looks like a company executive. They will then send an email using this account to an employee in the HR department with an urgent request for past and present employees’ W2 details. These data are then used for resale or to propagate subsequent attacks.
9. Slack scams
Slack is a popular online collaboration tool for teams. Slack and similar online collaboration portals are increasingly seeing phishing scams based on the messaging system with the app.
In 2017 and 2018, a number of crypto-based phishing scams used Slack phishing as the conduit for the scam. In 2019, we may well see Slack and similar apps being used for other phishing purposes such as harvesting personal data or company information.
10. Mobile phishing threats
As mobile devices take root in company resource access, so phishing that is mobile-focused has come along for the ride. This is not surprising as mobile phishing (SMiShing) is successful; a survey by Lookout found that the click-through success rate for mobile phishing scams is 56%. Mobile phishing via text messages uses all the same tricks as its email counterpart.
11. Messaging apps
Organizations are turning to messaging apps such as WhatsApp to communicate on business matters. Increasingly, these messaging apps are also being used as conduits for phishing. The same sort of tricks are used as in the traditional phishing email, including urgency, spoof offers and so on. Clicking on a link in the message taking you to a spoof website page that steals data.
12. Travel phishing scams
Business travelers are a good target for fraudsters if you catch the traveler off-guard. Phishing emails contain details of a supposed recently booked trip with details in the attachment. If the attachment is opened, it may install malware onto the computer. In an age where many employees travel regularly, this sort of scam could easily work.
13. Google calendar scam
This Google-related phishing scam, discovered by Kaspersky, uses a Google Calendar option to place event invites in another user's calendar. The event pops up on the specified day/time with an offer to take a survey and claim a cash reward. The link in the calendar event goes to a website with a short survey where users are encouraged to enter credit card and personal details.
14. Invoice scam
The invoice scam typically targets accounts payable/finance departments. It is an unbranded phishing email scam which contains an image that is clearly an invoice. The .jpg image contains code that, when clicked, runs a banking Trojan install. The scam is a clever one, as it will be easy to dupe a busy department that receives many expense invoices contained in emails.
15. Sharing file phishing
To circumvent anti-phishing technology, fraudsters are now using the document sharing mechanisms that are part of common portals like Microsoft OneDrive or SharePoint. The phishing scam consists of an email with a link to a work-related document, hosted on such a portal. If the user clicks on the link, they will be taken to a spoof login page of the sharing portal; once credentials to the site are entered, they are stolen and used to hijack an account.
16. RFP Proposal scam
Small businesses are targeted by scammers with fake tender proposals. The email will contain either an RFP in PDF format or a link to download the proposal. The email will look like it has come from a legitimate company, even a partner organization if the fraudster has used surveillance. The result on opening the PDF is a potential malware infection.
Alternatively, if the link is used, the individual will be taken to a website requesting bank details to process the bid. These are then sent to the cybercriminal behind the scam.
Conclusion
As you can see from this list of 16 phishing scams that target businesses, variety is the spice of the cybercriminal’s life. The fraudster will use whatever mechanism is commonly used in the workplace to get their dangerous links or malware-ridden files onto a corporate network.
The best way to deal with the deluge of phishing mechanisms is to know the tricks of the trade. The conduits used to phish may be varied but the tricks are often the same. The best way to tackle this type of cybercrime is by having all employees security-aware.
See Infosec IQ in action
Sources
- PwC’s 2018 Global Economic Crime and Fraud Survey, PWC
- Financial Trend Analysis, FinCEN
- Number of users attacked by banking Trojans grew by 16% in 2018 reaching almost 900,000, Kaspersky
- TrickBot takes over as top business threat, Malwarebytes Labs
- TrickBooster – TrickBot’s Email-Based Infection Module, Deep Instinct
- Internet Security Threat Report Volume 23, Symantec
- 33 Staggering Dropbox Statistics and Facts (2019), DMR
- Cybercriminals Use Smartphone Calendars to Distribute Scam Offers, Kaspersky
- New variant of Zeus banking trojan concealed in JPG images, SC Magazine