Criminals are using a new tactic to con money out of small to medium-sized businesses and startups, and are now using insider phishing scams to convince account department executives to make fraudulent bank transfers. The insider phishing scams are highly convincing, and a number of company executives have already fallen for the scams. Thousands of pounds have already been transferred into the bank accounts of criminals. By the time the fraudulent bank transfers are discovered, the money is long gone and cannot be recovered.
Insider phishing scams are targeting specific individuals in the accounts department
A number of similar insider phishing scams have been seen in recent months. Workers are sent an email from their boss asking them to transfer money from their personal account to help cover an essential bill. These scams tend to work on small businesses that are likely to experience cashflow difficulties.
Employees fall for the scams and make the transfers as they are fearful of their employer and want to appear keen and willing to help. The latest insider phishing scams appear to me much more targeted. Criminals already know the names of the individuals working in the accounts department and are targeting the person most likely to respond.
These people are sent an email from their boss, are referred to by name, and the email address used to send the message appears, at first glance at least, to be genuine.
A brief message is sent asking for a transfer of several thousand points to be made, and the bank account and sort code information are provided in the email. The victim is informed that their boss will send them further information to allow the payment to be entered into the company accounts. The victim is also asked to send an email back confirming when the transfer has been made.
The scam is clever. By asking for a confirmation, the victim will most likely reply to the same email and not follow up for a couple of days or so. By that time the transfer will have cleared, the money taken out of the criminal’s account, and it will not be possible to recall the funds.
Fake domain names being registered to conduct insider phishing scams
If an email was sent from an email address with a non-company domain it would be unlikely to result in a bank transfer being made. Even a busy accounts department executive would check who sent the email before making a transfer of £20,000. To get around this problem, criminals are registering a very similar domain name to that used by the target company.
Typically, the domain name used will be virtually identical to the one used by the company, with one minor change: One character will be replaced with another. The most effective way to do this is to replace an L with an i, or a 1 with a lower case L, or vice versa. The different domain name is then unlikely to be noticed. Instead of “Littlewoods”, the domain “Litt1lewoods” or “Littiewoods” would be used.
The success of these insider phishing scams relies on the email being as genuine as possible. The email must also be sent to the right account executive. If the request appears unusual – being sent to a person who would not typically make a bank transfer for example – it would appear suspicious and would likely be questioned.
After the domain name has been purchased, the format of the company’s email addresses must be discovered. Then the name of the chief executive and the company’s financial controller. The criminal behind the campaign can send the scam email.
The victims are therefore researched beforehand. The correct individual is identified and they – and they alone – are sent the transfer request. It has been hypothesized that the reason these insider phishing scams are being conducted on tech companies is they are more likely to be easy to research.
There have been numerous reports of these insider phishing scams being conducted in recent weeks. Some individuals have fallen for the scams and have made large transfers to the criminal’s account as requested.
How to protect against insider phishing scams
It is essential that all staff members are warned about these insider phishing scams and told to be vigilant. Protecting against these attacks must start at the top. Email requests to make transfers may be convenient, but employers must set up policies that require accounts executives to verify the request, by telephone, before they are made.
A few years ago, spam emails were very easy to spot. They were sent out in bulk, contained numerous typos and grammatical errors, and on the whole were very easy to identify as being fake. That is no longer the case. Scammers are now taking time to develop highly convincing campaigns to fool specific individuals into revealing personal information or making large bank transfers. The effort put into these campaigns is worth the effort. The criminals are much more likely to get the victim to take the required action.
In addition to instilling a security aware culture in an organization, one of the best protections is to purchase a robust spam filtering solution. An email sent from a domain closely matching the company´s own domain name would be caught by the spam filter and directed to the email quarantine folder. Training is good, but preventing insider phishing emails from being delivered is a much more reliable method of stopping employees from falling for these phishing scams.
