"Are you still in the office?" - A Phishing Story

The below is based on a true story:

Monday at 5:00 pm - You are just leaving the office.

You happen to have left the office on time today (for once) for your kid's soccer game, a happy hour, a hot date, or whatever.  At 5:35 pm you get an e-mail from your boss.  The subject is "Are you still in the office?".  Of course you open the e-mail.  In the body of the e-mail, your boss says "Hey, are you still there?  I need you to do me a favor that's most urgent."  Naturally you want to please your boss, and be responsive.  You immediately respond; "Sure, what do you need?". You then get a reply back; "Thank you so much.  I have a client that I am going to be meeting tonight, and really wanted to "Wow" them by getting their team some iTunes gift cards.  I totally forgot to get them.  Can you run out to a store and get me four $250 iTunes gift cards.  Once you have them, scratch off the back to reveal the code and kindly send me photos of the codes.  I need them before dinner is over at 8:00 pm tonight."

You make a slight detour on the way to your after-work event to stop by a store and purchase four iTunes gift cards with your corporate card.  You then whip out your phone and send your boss photos of the codes by 6:20 pm, and are still able to make your event.  You saved the day for your boss and helped him/her win over the new clients.  Deep down you are hoping your part in this is remembered when raise/bonus evaluation time comes around.  All is right in the world.

Tuesday Morning at 8:10 am - You are in the office and just grabbed your morning coffee.

The boss walks by your desk and says "Good Morning".  You respond in kind and add, "How did the clients like the gift cards?"  Your boss stops, turns to you and says "What are you talking about?"

It is at this point you find out that the e-mail was not from your boss, but that you were the victim of a spear-phishing e-mail.  The cyber criminal stole a $1,000 which you put on your corporate card and had thought you would be getting reimbursed for.

Does this sound like a far fetched story?  It's not.  It is safe to say that thousands of intelligent people around the world fall for this type of phishing campaign every day.  Per the FBI's 2017 Internet Crime Report*, there were 25,344 reported phishing victims in the US alone in 2017.  Keep in mind, most phishing attacks go unreported due to the victim being embarrassed for having been tricked.  Today's cyber criminals rely on human behavior over technical skill.  They will use fear, greed, people's good nature and helpfulness to try to defraud your employees and your business.  Security awareness training is a very effective defense against phishing attacks and is fairly cheap.  Speaking of awareness, let's get to it.  Below are some tips as to what this employee should have done to prevent being a victim:

Tips:

1.)  If you are getting an e-mail from someone (such as your boss), and the request is unusual (ie. not something they have ever asked you to do before.), pick up the phone and call them on a number you know is valid.  Also, if the e-mail is from the CEO or CFO and they most likely don't even know your name, they probably aren't asking you for a favor.  This is when it is good to forward it to your boss with your suspicions, and ask him/her to look into it.  Communicate outside the e-mail thread and use the chain of command to authenticate odd e-mail requests.

2.) Any e-mail asking you to buy something (typically iTunes, gift cards, or prepaid debit cards), transfer customer/employee data, or transfer funds (sending a wire, ACH, Western Union, Money Gram, etc.) needs to be independently verified by picking up the phone and calling the person on a number you know is valid (don't use any contact info in the e-mail that was sent to you).

3.) Cyber criminals know what your office hours are.  So look for "Urgent" requests after hours as highly suspicious.

4.) As with #3 above, the cyber criminals know you most likely will be checking your work e-mail after-hours with a mobile device.  Most mobile phones only show the display name, not the actual e-mail address, so they can send an e-mail from a gmail account with your boss, CEO, or CFO's name displayed and it will appear on your phone or tablet as the display name, not the actual e-mail address.  Click on the display name to show the actual e-mail address.  Even if it looks legit, still call.  No one ever got fired or in trouble for verifying e-mail instructions that seem odd.

5.) Look for very short e-mail messages (with no details).  Also bad grammar/spelling are common signs.  In addition, look for non-American style English being used  "I have a most urgent request" or "Kindly send me the gift card codes."  Does your boss or CEO talk like that? 

6.) Let's say you fell for it, and realize it afterwards.   Report it!  You can still save the day.  In this case, the employee should have notified his company's security officer or HR so that all the other employees could be notified of the scam to prevent additional victims at your organization.  Secondly, he/she should contact Apple and had the codes deactivated.  It wouldn't get the money back, but it would stop the criminals from getting it.  When criminals see a good target, they will keep coming back.  Try to ensure that their attack on you isn't profitable.  This way they will seek an easier target next time and leave you alone.  

Be Secure!

Link to the 2017 FBI Internet Crime Report

* https://pdf.ic3.gov/2017_IC3Report.pdf