We’re back for our second ‘catches of the month’ feature of the new decade, where we review recent phishing attacks and help you understand the threat of cyber crime.
This month, we look at a school district that was scammed out of millions of dollars thanks to a phony invoice, an attack allegedly tied to the 2020 US presidential election, and a report that found that the number of phishing attacks being disclosed in the UK is on the rise.
Texas school district loses $2.3 million in phishing scam
Experts often say that it only takes one negligent employee to cause a data breach. That’s a lesson Manor Independent School District in Austin, Texas, won’t be forgetting in a hurry, after a staff member was tricked into handing over $2.3 million (about £1.8 million) to scammers.
The attack took place in November 2019, with several employees receiving phishing emails containing invoices supposedly from vendors.
Two similar emails came through in the following weeks, and in each case an employee paid the invoice without querying it.
The details of the scam are unknown, so it’s hard to say how much blame should be placed on the victim. Although many scams are rudimentary and should be picked up by anyone familiar with email fraud, others are very convincing, making it unfair to single out the email’s recipient.
We’d be inclined to give the victim the benefit of the doubt here. Surely anyone who is tasked with transferring large sums of money would have a decent understanding of phishing emails, and wouldn’t have followed through with the transfer unless they had a legitimate reason to think the invoice was genuine.
Either way, this incident demonstrates the perils of phishing scams. It’s often not enough to rely on employees memorising the guidance from staff awareness training courses. You might also need a fail-safe to prevent sophisticated scams.
For example, it might be worth adding a verification process whenever you receive a large invoice. This could be as simple as getting another member of staff to check it for authenticity, or as complex as using a second means of communication to confirm the invoice with the organisation that sent it.
Russians reportedly hacked Ukrainian firm at the centre of Trump impeachment scandal
In January, a US cyber security company claimed that Russian state-sponsored hackers infiltrated Burisma Holdings, the Ukrainian energy provider at the centre of the scandal that led to President Donald Trump’s impeachment.
Area 1 Security claims that Russian agents launched a phishing campaign last year that was intended to steal the login credentials of Burisma Holdings employees.
It’s not clear what the criminal hackers were looking for, but the timing suggests that they were seeking information that could damage Joe Biden, a Democratic presidential hopeful and main rival to Donald Trump in the upcoming election.
The US House of Representatives impeached Trump in December for abusing his power and enlisting the Ukrainian government to investigate Biden. A second charge accused Trump of obstructing a congressional investigation into the matter.
- Catches of the month for January 2020
- Catches of the month for December 2019
- Catches of the month for November 2019
This isn’t the first time Russia has been embroiled in a situation like this. The military intelligence unit that’s allegedly tied to this scam was previously indicted for hacking emails from the Democratic National Committee and the chairman of Hillary Clinton’s campaign during the 2016 presidential race.
As with those attacks, this scam involved phishing emails that used fake domains from a third-party organisation – in this case subsidiaries of Burisma Holdings.
Area 1′s CEO, Oren Falkowitz, said the timing of these attacks – just weeks before presidential primaries begin – highlight the need to protect political campaigns from targeted phishing attacks.
“This is a real specific, timely case that has real implications,” he said. “To discover it and potentially get out in front of it is a significant departure from what’s typical in the cyber security community, where someone just tells you, yeah, you’re dead.”
The number of disclosed phishing attacks in the UK skyrocketed in 2019
If you think there has been an uptick in the number of phishing incidents in the news recently, you’re not wrong. A new report has found that 1,080 phishing scams were reported in the UK in 2019, compared with just 877 the year before.
The figures, which are based on incidents reported to the ICO (Information Commissioner’s Office), represent a major shift in organisations’ approach to cyber security over the past couple of years.
Whereas once senior management would sweep cyber security incidents under the rug to avoid the reputational damage they might cause, they now accept that data breaches are something every business deals with.
Of course, the introduction of the GDPR (General Data Protection Regulation) has helped change their tune.
The new rules state that organisations must disclose incidents within 72 hours of becoming aware of them. Failure to do this can lead to hefty fines that far outweigh the negative feedback that can come with a security incident.
As this report shows, the GDPR’s notification requirements don’t only ensure accountability on a case-by-case basis. They also help give a more accurate big-picture view of the cyber security landscape.
After all, the additional 203 phishing incidents reported in 2019 doesn’t necessarily mean that there were more attacks that year; it simply means that we’re aware of more incidents and more vigilant in reporting them.
This is beneficial in the long term, because it proves just how prevalent the threat of cyber crime is, and helps those who might otherwise be sceptical of data protection reform understand its importance.
Spot a scam before it’s too late
Educate your staff on how to spot suspicious emails by enrolling them on our Phishing Staff Awareness E-Learning Course.
This 45-minute course uses examples like the ones above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.