Before adding and sharing your Fraud Alert please check to see if a similar alert has already been posted, thank you:


No one thinks they’ll fall for a phishing attempt at work — until they do

Fraud Alert:

x

Embed

x

Share

CLOSE

Con artists are using social media and other tricks to send phishing emails that look legitimate — or even look like they’re coming from a co-worker or your CEO.
Susan Tompor/Detroit Free Press

Quite honestly, many of us can only wonder how anyone falls for some incredibly old tricks in the hacking book. Like, really, who sits down at work and opens an attachment connected to a vague request in an e-mail without first questioning whether the sender is legitimate?

Who would quickly send off batches of W-2 information to unauthorized users because someone claims to be the CEO demanding fast action? Or better yet, who initiates a wire transfer involving thousands of dollars because an e-mail says a bill must be paid now or else a big deal will fall through?

Really? 

But Ann Arbor-based Duo Security — which markets a cloud-based system to ensure that only those authorized to enter and use a company’s system can get access — sees plenty of signs where phishing is a cost-effective way for crooks to do business.

“Hackers attack people and not systems,” said Michael Hanley, senior director of security.  “They’re really hacking the person’s behaviors.”

We’ve heard plenty of stories about cyber security mishaps. Last week, for example, the Detroit Medical Center blamed an employee at an outside agency for turning over protected health information for about 1,500 people to an unauthorized third party. The DMC said the breach involves patients seen between March 2015 and May 2016 at its facilities. 

At times, we’re dealing with rogue operators within an organization. Other times, people just fall for phishing attempts when they should know better. 

The FBI disclosed in April 2016 that law enforcement received reports about business email scams from 17,642 victims from October 2013 through February 2016. The losses exceeded $2.3 billion. 

Much information is already available on social media to make sure that the first phishing attempt that arrives via e-mail sounds legitimate, especially to someone in a rush. Names of top executives, including the CEO and the chief financial officer, are easily found on company web sites or LinkedIn, a business and employment social networking service.

Surprisingly, it’s not hard to figure out what vendors some companies use as well, Hanley said.

Cyber crooks start out by trying to determine who you are at the company, what role you play and who your contacts are inside and outside of the organization. If you’re the one who typically initiates wire transfer payment to cover some bills, cyber crooks put in the time to make sure they know it. 

Pick up data, throw some facts into an email and let the phishing begin. 

Cyber experts see signs of a growing threat of phishing attempts thattarget companies working with foreign suppliers or other businesses that regularly use wire transfers to cover some payments. The fraudsters try to mimic the method of payment that’s most commonly associated with their victim’s normal business practices.

The Federal Bureau of Investigation’s Internet Crime Complaint Center said that last year the scam has evolved to include requests for wage and tax statements or W-2 forms for employees. 

Phishing.org said more than 100 billion spam e-mails are sent each day, and more than 85% or all organizations have been targeted by phishing attempts. 

To prove how easy some phishing attempts can be for crooks, Duo created a free Duo Insight tool on its website that allows any company to stealthily start a fake phishing campaign within the company to pinpoint the vulnerability of some devices and users. 

I visited with the Duo Security team in Ann Arbor last week and saw how a company can launch one of these fake phishing attempts.

Jordan Wright, senior research and development engineer, gave me a demonstration and started out with an e-mail as simple as “Please review these notes from the last meeting and confirm you will do the assigned tasks.”

Many company messages can be fairly simple, such as  “I just sent you an important document to review.” Or even “Here’s a file of photos from the company’s picnic.” 

During the past 12 months, Duo said its Duo Insight tool was used in 4,400 phishing campaigns involving about 100,000 people. 

About 44% of the recipients opened the fake emails — and 24% clicked on the link. 

Worse yet, about 12% of recipients entered their credentials — typically a user name and password. 

The Duo team said 62% of these phishing campaigns captured at least one person’s credentials.

The company said that it can take less than 15 minutes before someone is actually phished, based on its research. 

Clicking on a link, of course, can either infect your computer with malware that can capture data or divert you to a web site that looks real but is actually set up to steal your personal information.

Read more: 

Duo Security, founded in 2010 by Dug Song and Jon Oberheide, protects users in organizations such as Etsy, Facebook, Altegra Health, Yelp, Zillow and the University of Michigan. 

Duo Security offers a platform that includes a two-factor authentication mobile app that enables employees to quickly verify their identity by approving push notifications before accessing applications for doing their expense reports and other work-related duties on their computers or smartphones. 

Some of the basic tips, of course, still apply. Make sure that you look closely at the domain name of the site you’d be sent to without clicking on any links. If you’re unsure, you can always e-mail someone at the company on your own and double-check if they sent you a request. 

More tips: Be careful about the information you post on social networks. Don’t kid yourself and think you could never fall for one of these phishing attempts. When the CEO or CFO asks for W-2 files — or all the names and addresses of the staff at the branch in New Jersey, don’t drop everything you’re doing to send all that data. It doesn’t hurt to slow down and be skeptical. 

Contact Susan Tompor: 313-222-8876 or stompor@freepress.com. Follow Susan on Twitter @Tompor. 

Article source: http://www.freep.com/story/money/personal-finance/susan-tompor/2017/07/16/phishing-attempt-work/475151001/