Whether you’re an individual or a person in a finance role such as accounts payable, accounts receivable, or payroll, you could be the target of phishing this tax season. Gone are the days of obvious spam messages filled with grammatical errors and “from” emails that are basically nonsensical. These days, bots and scammers have become extremely “human-like.” Phishing scams are harder and harder to distinguish from your everyday emails, often with just one letter or number out of place that’s hard to detect.
The Phishing Process
Our experts have noticed a spike in phishing-related email account takeovers. To help protect yourself from being compromised, they’ve put together what they found is a pretty consistent pattern on what an attack looks like.
For example, an attacker may gain access to a compromised mailbox of someone in a finance role. After which, the following takes place:
- Attacker looks through the mailbox for a history of transaction requests—ACH or wire payments, payroll requests, etc.—and figures out the responsibilities and routines of the mailbox owner.
- Attacker waits for an opportunity, intercepts an incoming email that is an expected transaction request, and manipulates or replaces the email with one that uses the attacker’s account number.
- Employee processes the request not realizing the account numbers have been changed.
- Attacker gathers all the email recipients this finance person has sent or received email from, who often are other finance people at other organizations.
- Attacker sends a phishing email to all these other finance people, generally something that links to a site that mimics Office 365 or otherwise prompts them to enter a password.
- Other finance people at other organizations fall for the ruse and give the attacker their password.
- The attacker has now gained access to more compromised mailboxes of people in finance roles, and the cycle repeats.
How to Avoid Phishing Attacks
As noted in the example, a simple trick of the eye or interception can lead to a phishing scam. One that’s often easy to miss. According to anthiphising.org, phishers typically include upsetting or exciting (but false) statements to get people to hand over their usernames, passwords, credit card numbers, Social Security numbers, date of birth, and other personal information. To protect yourself, be suspicious of such communication with urgent requests for financial information.
Also, if you’re unsure of whether an email is a scam or not, always run it by your IT or help desk team. Such teams often have a “dummy” computer where they can open suspicious files or click through suspicious emails without compromising any information.
Lastly, if they provide links, don’t click on the link right away. If it’s a URL, type it into a new window on your browser to determine if it’s a legitimate site.
For more information on how to prepare yourself against cybersecurity threats, contact our cybersecurity team.
ABOUT THE AUTHOR
Kevin is the Director and Penetration Testing Lead at Sikich focusing on information security and compliance issues faced by financial institutions.