Catches of the month: Phishing scams for March 2020

Want to learn about the latest phishing scams? Our ‘catches of the month’ feature investigates the most prominent email attacks across the web, explaining how they occurred and the lessons you should learn.

1. Ordnance Survey hack exposes the details of 1,000 employees

Ordnance Survey has confirmed that the email account of its CFO (chief financial officer) was hacked, exposing 1,000 employees’ personal details, including up to four who had their bank details compromised.

The UK’s national mapping agency says it discovered the breach during an IT check in January and quickly addressed the issue.

However, the attacker had already accessed the payroll files – which they were able to do after scamming the CFO.

Ordnance Survey reported the breach to the ICO (Information Commissioner’s Office), which has concluded its investigation and confirmed that it will take no further action.

Malcolm Taylor, the director of cyber security at ITC Secure, said:

On the face of it this seems to have been handled well.

The relevant authorities have been informed, and staff have been kept informed and offered help to manage their identity risks; a reminder that security is also about the response, and that the ICO also look at how an organisation responds should a breach occur.

Jake Moore, a cyber security specialist at ESAT, added: “We all like to think that we’re not susceptible to social engineering or manipulation, but the truth is that even intelligent, self-aware people still get caught up in online scams that can have very damaging consequences.”

This incident highlights an essential, but often overlooked, issue concerning phishing scams: it’s easy to dismiss victims as naïve, but anyone can fall victim.

It only takes one error of judgement for an entire system to be compromised, something that can easily happen if an employee is stressed or not paying full attention.

Ordnance Survey’s response to the breach suggests it has a strong incident response plan in place.

Likewise, the results of the ICO’s investigation indicate that the organisation does a good job mitigating the risk of breaches – which presumably includes staff awareness training on how to spot phishing scams.


See also:


2. Puerto Rico government scammed out of $2.6 million

Puerto Rico’s Industrial Development Company has lost more than $2.6 million (about £2 million) after an employee fell for a phishing scam.

The fraudulent email said that there had been a change to a bank account used for remittance payments, and asked the government agency to transfer money into it.

Manuel Laboy, the executive director of the island’s Industrial Development Company, confirmed that, following an internal investigation, three employees were suspended – one from his agency and two from the country’s Commerce and Export Company, which was duped out of $63,000 in the same scam.

He added that the FBI was able to freeze the money sent, which involved public pension funds.

3. US cable TV provider suffers by major breach

More than 12,000 current and former employees at the cable TV provider Altice USA have had their personal data compromised after a cyber criminal gained access to the organisation’s systems.

The compromised data included names, dates of birth and Social Security numbers. A small number of customer records were also exposed in the incident, which began in November when a scammer gained access to employee account credentials.

They used this information to access databases containing the personal data.

Altice USA says it’s planning to train all employees on how to recognise and avoid phishing emails.

That’s right: the organisation previously had no formal phishing staff awareness programme.

For a business with nearly 5 million customers, that’s mind-boggling. Phishing is one of the biggest threats organisations face, and staff awareness training is essential for preventing breaches.

How can you spot a scam?

As these incidents show, phishing attacks can take many forms, but all are conducted to trick victims into handing over sensitive information or installing malware.

You can make sure your staff know how to identify and avoid scam emails with our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the ones above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

Learn more