Opportunistic cybercriminals are tapping into the wealth of personal and behavioral data available online, or launching spear-phishing attacks intending to trick recipients into transferring money into bogus third-party accounts.

That was a major conclusion drawn from San Mateo, Calif.-based security provider Agari's Executive Brief: Top Phishing Attacks, which reviewed some of the past year's most newsworthy phishing attacks, lessons learned from them and available countermeasures.

One common fraud theme was identity deception.

“Within enterprises, scammers are convincing their victims to give away confidential information or transfer money into a fraudulent bank account by posing as a trusted business executive, often using highly-targeted emails or social media messages,” Agari revealed.

Alternatively, fraudsters are attempting to spread malware and compromise IT environments by tricking recipients into opening an email attachment or clicking on a link to a corrupted web page.

“The attacker has a myriad of ways to commit fraud, install malware, seek out privileged access accounts, or obtain confidential information and valuable data,” the Agari brief warned.

Cybercriminals harvest personal data and learn specific company processes. Once armed with this information, they target selected employees with a spear-phishing email designed to gain access to confidential business information or persuade them to transfer money into an unknown account.

Increasingly, fraudsters are targeting specific individuals with sophisticated spoofs pretending to be from financial institutions, government departments and major brands. Often the emails will have “Attention,” “Important Notification” or “Your account has been revoked” in the subject line.

Two recent examples of so-called CEO fraud involved Ubiquiti Networks' finance department, which transferred $46.7 million into an overseas account held by external third parties; and, a Mattel finance executive wired more than $3 million to the Bank of Wenzhou after the supposed new CEO requested a vendor payment.

Agari said countering this type of attack requires policies that ensure no one person or email can authorize transactions. A means of verifying any request for confidential or financial information is also necessary.

Spear phishing attacks, which attempt to steal valuable employee payroll information, also increased in the last year. The messaging app Snapchat hit the headlines when its payroll department handed over confidential information on current and former employees to a scammer impersonating the CEO. An isolated phishing email also led to Seagate Technology handing over the W-2 tax documents on all current and past employees.

In April, the IRS issued a warning about scam artists masquerading as official bodies and enticing people to click on links containing questions about their tax refund.

On both the enterprise and consumer side, ransomware is becoming a steadily growing form of malware that effectively holds a user's device or files.

Los Angeles' Hollywood Presbyterian Medical Center had its computers taken hostage by Locky ransomware. After being offline for a week, officials eventually paid $17,000 in Bitcoin to regain patient records access.

The Michigan-based Lansing Board of Water & Light recently became the first public utility compromised by ransomware, which knocked the company's internal computer systems offline.

“The best defense against this increasingly popular crime is a good offense,” Agari recommended. That means keeping operating systems, firmware, software and applications patched and updated to limit vulnerabilities.

Agari suggested five steps to reduce risk:

  1. Collaborate among industry peers and law enforcement to share data and attack experiences.
  2. Plan for the worst-case scenario, engage expert security-industry support, fully exercise incident-response teams regularly, backup systems regularly and invest in cyberinsurance.
  3. Know your strongest assets by adopting the mindset of an adversary and review the data stored within the enterprise to ensure strong controls, such as encryption, are in place.
  4. Take advantage of advanced, multi-layered security technologies to minimize risk of susceptibility to attack.
  5. Combine threat intelligence with open standards to ensure employees only interact with legitimate messages.

Join us at Credit Union Times' Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, boards of directors and those responsible for your credit union's cybersecurity policy. Register to attend and save $150.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).