What is Phishing?

Quite simply, it is a fraudulent attempt at gaining access to sensitive information by pretending to be a legitimate source.

Phishing can come in various forms

The general form of phishing involves an email sent from a company (like Microsoft or Facebook) asking you to click a link and sign in with your details. Since the source fraudulent, you’re handing over your username and password and putting your accounts at risk.

Often we only realise we’ve done this too late. The best thing to do is immediately change the related passwords.

Spear Phishing

In summary, the fraudulent source sends an email impersonating a person of importance within the same organisation.

This is a more targeted form of Phishing and usually only happens when the cyber-criminal has more information about your organisation and which persons are important.

For example: An email is sent impersonating a director of the company, and requesting an action be done or payment be made (sometimes promising re-imbursement).

This has become more common recently as more businesses operate remotely and using the web.

Whaling

This is simply a fraudulent source targeting a person of importance in the company. It’s an attempt to get a director or accountant to make a payment or hand over sensitive information.

Reported examples of spear phishing

Austrian manufacturer lost $55 million and replaced CEO

FACC, an Austrian manufacturer of airplane parts, allegedly lost $55 million to a spear phishing scam in 2016. FACC has not released the full details of what transpired, but it is thought that there was some kind of whaling attack, involving impersonation of high-level financial executives. The CEO of FACC was replaced.

Employee impersonation cost company $47 million

In a similar case, NBC News found that  Ubiquiti Networks, a computer networking company, was allegedly scammed out of $47 million. Like FACC, the company declined to release full details, but Ubiquiti said the scam involved the impersonation of employees and was targeted at their finance department.

Lithuanian man takes $100 million from Big Tech

According to the US Justice Department, from 2013 to 2015 a Lithuanian-based man named Evaldas Rimasauskas allegedly ran a clever scheme that made him millions. He created a shell company in Latvia with a name identical to a computer hardware company. He then sent spear-phishing emails to the top Silicon Valley corporations that did business with that hardware company. His messages had him posing as that legitimate computer hardware company, with his copycat name acting as cover. By then “billing” these companies he allegedly raked in over $100 million before being discovered by federal authorities.

What you can do to protect from Phishing

The best preventative measure is training. This informs all employees on what to look for, to identify fraudulent emails.

Communication is also an important preventative measure. If there’s any doubt on the legitimacy of the email, pick up the phone and call the source. Alternatively, get your email service provider to confirm if it’s fraudulent.

As a business owner or director, one option is to test your employees with a Phishing email designed to pinpoint users that may need further training. This can be easily accomplished with the assistance of your IT services provider. If this is something you may be interested in, please don’t hesitate to contact us.