Phishing

16 business email/mobile phishing tricks to be aware of in 2019

Susan Morrow
August 12, 2019 by
Susan Morrow

Introduction

It’s hard enough running a business without a cybercriminal trying to ruin it. According to PWC, in 2018, 49% of organizations across the world have been a victim of fraud and economic crime; this is up from 36% in 2017. 

Business email and now mobile messaging apps are a mainstay of communications and a conduit for business phishing tricks. Fraudulent phishing emails are a continuing issue that organizations need to be aware of, to reduce the impact of cybercrime on their bottom line. 

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Here are 16 of these phishing tricks to watch out for in 2019.


1. Business Email Compromise (BEC)

The U.S. Treasury Department’s July 2019 report found that BEC costs U.S. companies around $300 million per month. Business Email Compromise uses social engineering, including spearphishing emails and surveillance of a company and employees. The scammer will often impersonate a company executive such as a CEO. The result is usually the transfer of money, sometimes millions of dollars.

2. Fake billing scams

During 2018, Australian companies lost over AUD 5 million due to fake billing scams. The scam tends to target smaller businesses. The fraudsters con a company into paying for spoof services. The scam works by sending an invitation, via email, to renew a company web domain or to list in a trade magazine. 

Scammers focus on the administration department, as they are less likely to be aware of business activities and hopefully (for the scammer) pay the “bill.”

3. Office 365 scams

Microsoft Office 365 is a popular tool for businesses. Therefore, it is also popular with cybercriminals. 

A recent report by VadeSecure found that Office 365 was the number one brand for phishing for login credentials. The scam uses the usual tricks of the phishing trade, links to a fake Microsoft Office 365 login page within a phishing email that then harvests the login username and password to hijack an account.

4. Virtual office voicemail scams

This scam targets businesses who use virtual offices that send out voicemail messages via email. The scam is in the form of an email with an attachment (the supposed voicemail). Attachment formats vary, but typically it will be an .HTML file. 

If the recipient clicks on the attachment, it opens a spoofed form asking for some personal information and a password to access the voicemail. Once the data is entered, it will be sent to the cybercriminal behind the scam and used for account hijacking/resale purposes.

5. TrickBot/TrickBooster banking Trojan

Banking malware, such as Trojans, has increased by around 16% in 2018 according to Kaspersky. Banking Trojans infect computers to steal bank login credentials. 

Trojans such as TrickBot specifically target business users and were the biggest banking threat to businesses in 2018, according to Malwarebytes. The Trojan is delivered via an email or SMiShing (text message phishing) campaign. 

More recently, a new variant of TrickBot called TrickBooster has been used to harvest email credentials from around 250 million email accounts. The hijacked accounts are then used to propagate the malware.

6. Spearphishing scams

Targeted phishing campaigns or “spearphishing” continue to be a serious issue. Symantec found that over 71% of cyberattacks used spearphishing emails. This form of phishing typically targets privileged users, like system administrators, to obtain login credentials to sensitive resources like servers or databases.

7. Dropbox phishing

The Software-as-a-Service offering, Dropbox, is very popular amongst business users who use it to share and collaborate on company documentation. The global scale and capacity of Dropbox is massive, with around 500 billion pieces of content uploaded. 

Scammers use email phishing tricks to attempt to harvest Dropbox credentials and steal accounts and documents. The emails link to spoof Dropbox login pages where, if a username and password are entered, they are sent directly to the cybercriminal behind the scam.

8. W2 tax scams

Tax season brings out the scammers in the form of W2 tax scams. The attack typically involves the fraudster creating a spoof email account that looks like a company executive. They will then send an email using this account to an employee in the HR department with an urgent request for past and present employees’ W2 details. These data are then used for resale or to propagate subsequent attacks.

9. Slack scams

Slack is a popular online collaboration tool for teams. Slack and similar online collaboration portals are increasingly seeing phishing scams based on the messaging system with the app. 

In 2017 and 2018, a number of crypto-based phishing scams used Slack phishing as the conduit for the scam. In 2019, we may well see Slack and similar apps being used for other phishing purposes such as harvesting personal data or company information.

10. Mobile phishing threats

As mobile devices take root in company resource access, so phishing that is mobile-focused has come along for the ride. This is not surprising as mobile phishing (SMiShing) is successful; a survey by Lookout found that the click-through success rate for mobile phishing scams is 56%. Mobile phishing via text messages uses all the same tricks as its email counterpart.

11. Messaging apps

Organizations are turning to messaging apps such as WhatsApp to communicate on business matters. Increasingly, these messaging apps are also being used as conduits for phishing. The same sort of tricks are used as in the traditional phishing email, including urgency, spoof offers and so on. Clicking on a link in the message taking you to a spoof website page that steals data.

12. Travel phishing scams

Business travelers are a good target for fraudsters if you catch the traveler off-guard. Phishing emails contain details of a supposed recently booked trip with details in the attachment. If the attachment is opened, it may install malware onto the computer. In an age where many employees travel regularly, this sort of scam could easily work.

13. Google calendar scam

This Google-related phishing scam, discovered by Kaspersky, uses a Google Calendar option to place event invites in another user's calendar. The event pops up on the specified day/time with an offer to take a survey and claim a cash reward. The link in the calendar event goes to a website with a short survey where users are encouraged to enter credit card and personal details.

14. Invoice scam

The invoice scam typically targets accounts payable/finance departments. It is an unbranded phishing email scam which contains an image that is clearly an invoice. The .jpg image contains code that, when clicked, runs a banking Trojan install. The scam is a clever one, as it will be easy to dupe a busy department that receives many expense invoices contained in emails.

15. Sharing file phishing

To circumvent anti-phishing technology, fraudsters are now using the document sharing mechanisms that are part of common portals like Microsoft OneDrive or SharePoint. The phishing scam consists of an email with a link to a work-related document, hosted on such a portal. If the user clicks on the link, they will be taken to a spoof login page of the sharing portal; once credentials to the site are entered, they are stolen and used to hijack an account.

16. RFP Proposal scam

Small businesses are targeted by scammers with fake tender proposals. The email will contain either an RFP in PDF format or a link to download the proposal. The email will look like it has come from a legitimate company, even a partner organization if the fraudster has used surveillance. The result on opening the PDF is a potential malware infection. 

Alternatively, if the link is used, the individual will be taken to a website requesting bank details to process the bid. These are then sent to the cybercriminal behind the scam.

Conclusion

As you can see from this list of 16 phishing scams that target businesses, variety is the spice of the cybercriminal’s life. The fraudster will use whatever mechanism is commonly used in the workplace to get their dangerous links or malware-ridden files onto a corporate network. 

The best way to deal with the deluge of phishing mechanisms is to know the tricks of the trade. The conduits used to phish may be varied but the tricks are often the same. The best way to tackle this type of cybercrime is by having all employees security-aware.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

 

Sources

  1. PwC’s 2018 Global Economic Crime and Fraud Survey, PWC
  2. Financial Trend Analysis, FinCEN
  3. Number of users attacked by banking Trojans grew by 16% in 2018 reaching almost 900,000, Kaspersky
  4. TrickBot takes over as top business threat, Malwarebytes Labs
  5. TrickBooster – TrickBot’s Email-Based Infection Module, Deep Instinct
  6. Internet Security Threat Report Volume 23, Symantec
  7. 33 Staggering Dropbox Statistics and Facts (2019), DMR
  8. Cybercriminals Use Smartphone Calendars to Distribute Scam Offers, Kaspersky
  9. New variant of Zeus banking trojan concealed in JPG images, SC Magazine
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.