Your employees receive an average of 4.8 phishing emails every week. Almost a third of these make it past default security systems, leaving your organisation in a permanently perilous situation.
There’s plenty of advice on how to spot phishing scams, but without any real-world examples that explain how they work, it can be easy to see the threat as purely theoretical.
That’s why we’ve decided to review phishing attacks in practice. Each month, we’ll look back at recent scams, explaining how they tricked people and what the organisations should have done to protect themselves.
So, for the first time, let’s take a look at the catches of the month:
Lancaster University students’ personal data stolen in phishing attack
Students and undergraduate applicants to Lancaster University had their personal details stolen in a pair of breaches that were disclosed on 22 July 2019.
The first incident was a relatively straightforward scam involving a bogus invoice. It’s not known exactly how the invoice led to the breach, only that the criminals managed to siphon off the names, addresses, telephone numbers and email addresses of students who had applied to study at the university in 2019 and 2020.
The second attack targeted the university itself, with criminal hackers accessing the student records system and the details of a “very small number” of current students.
Lancaster University didn’t disclose the details of this scam, but we’d wager that it involved spear phishing, in which fraudsters target a specific individual to lend credence to their attack.
In this case, the criminal hacker would have identified and targeted a university employee with access to the student record system using a compromised applicant’s account.
What’s the lesson?
Universities are a prime target for phishing scams, because they process vast amounts of personal data and often have insufficient cyber security measures.
A report by Jisc released earlier this year exposed just how poor UK universities’ cyber security defences are. The organisation hired ethical hackers to test the security systems of 50 universities, who compromised every institution in under two hours.
The breach at Lancaster University is just one instance of targeted attacks like this. The methods the fraudsters used are typical of phishing scams, so staff should have been able to spot the signs.
That they didn’t suggests the university doesn’t teach its staff how to identify phishing emails or that those lessons weren’t effective.
Hackers publish list of stolen Discord credentials
A few weeks ago, a group of criminal hackers published a list of about 2,500 email addresses and passwords that they had obtained from users of the gaming chat platform Discord.
The scams begins with a direct message from someone in the victim’s friend list or group chat, or someone on the same server.
The messages can take many forms. Twitter user @SplatterShah shared two examples:
In both examples, the messages contain what appears to be a legitimate Discord link but with one small difference. Discord uses “.gg” – the top-level domain for Guernsey, which is often used by game companies because it’s also a commonly used abbreviation for “good game”, a phrase used by players to concede defeat.
However, the scammers use the domain “.ga”, which looks similar but is the top-level domain for Gabon.
Those who click the link are directed to a facsimile of Discord’s login page, tricking users into providing their login details. Once you ‘log in’, a bot takes over your account and locks you out.
The bot uses the compromised account to access the information on your Discord account, then sends malicious links to other people to allow the scam to propagate.
What’s the lesson?
There’s a lot that organisations and individuals can take away from this incident. The fraudsters were eager to point out Discord’s poor security practices in a message they posted on their website:
“This was no virus, worm or malware of any sort – it was simple old phishing site that utilized Discord’s own moronic API to hijack these accounts.”
Experts often focus on the fact that phishing exploits human weaknesses, but as the criminal hackers suggest, organisations should implement technological solutions to protect individuals.
Meanwhile, users need to be vigilant when it comes to suspicious links and use whatever tools they have at their disposal. For example, Discord gives individuals the choice to set up two-factor authentication.
Using this gives you an added layer of protection for your account and prevents fraudsters from compromising your account by stealing login credentials alone.
Texas health facility avoids disaster following email scam
Staff at Wise Health System in Decatur, Texas, recently received a phishing email that attempted to steal their login credentials.
Multiple employees fell for the scam, giving the fraudsters access to the organisation’s systems. They went straight for the payroll database, where they attempted to redirect about 100 payroll direct deposits.
For many organisations, this would have spelled disaster, but Wise Health had policies in place that required paper checks to be printed and reviewed for two successive payrolls following a change to direct deposit information.
The organisation noticed that the number of redirected payments was unusually large and suspended the payments.
What’s the lesson?
This incident is a perfect example of how organisations should respond to phishing attacks. You can’t guarantee that employees won’t fall victim, so you should have a plan for when a breach occurs.
Wise Health identified the risk to payroll data and the likelihood that fraudsters would attempt to redirect payments, and implemented a simple process to spot when that happened.
But that wasn’t all it did. Following the incident, Wise Health also required all its employees to change their passwords and hired two third-party forensic teams to investigate the incident.
These measures ensured that the fraudsters no longer had access to the organisation’s systems, and helped identify any other compromises that might have occurred.
Wise Health was informed that it was unlikely that the attackers accessed patient data but couldn’t rule it out. As such, it contacted the 36,000 people in its database to warn them about potential misuse.
Patients were also offered free one-year membership to an identity protection service, covering insurance, credit monitoring and identity theft recovery.
Protect your organisation’s front line
As we’ve shown here, there are many ways you can fall victim to phishing scams and just as many ways to protect yourself.
However, the common denominator is always your staff. They are the ones who are targeted, and once they open a phishing email, the only thing preventing a data breach is their ability to spot that it’s scam.
Fortunately, there are always clues that reveal the true nature of malicious emails, and our Phishing Staff Awareness E-Learning Course teaches you how to spot them.
This 45-minute course uses examples like the one above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.