Welcome to our November review of phishing scams, in which we examine the latest campaigns and the tactics being used by cyber criminals to fool you into handing over your information.
This month, we look a recent report on the cyber security risks associated with our phones, and delve into a pair of organisations that were targeted by fraudsters.
Phishing attacks are harder to spot on your smartphone
Cyber security experts warned this week of a surge in smishing attacks – i.e. phishing attacks designed to be read on people’s phones.
Lookout’s Energy Industry Threat Report noted that the energy sector is a particularly lucrative target for fraudsters, because it provides vital services that, if compromised, could result in significant damage to both the organisation and the wider community.
According to the report, the sector was twice as likely to fall victim to a phone-based attack as any other industry.
But it’s not just energy suppliers that need to be concerned. Fraudsters are increasingly tailoring phishing emails towards mobile devices, because it gives them a greater chance for success.
For example, the smaller screen means it may be harder to spot spelling and grammatical errors, and the layout makes it harder to review the sender’s email address and check links.
Moreover, phishing often preys on people being distracted, and the fact that someone is checking their emails on their phone suggests they aren’t fully concentrating on work. Perhaps they are on the go or waiting for someone, and look at their emails in a rush.
However, doing so means you are more likely to be caught off guard and could expose yourself to a scam.
The use of mobile devices to check work emails increased during the pandemic, as the boundaries between work and private life merged. Employees have been more likely to work more flexible hours, then use their phone to check for urgent messages while they’re away from the office.
As such, organisations must reconsider their approach to cyber security and mobile phone use. It probably isn’t practical to ban employees from using them for work purposes, but it may be possible to implement phone-related policies and technology to protect employees.
Centre for Computing History apologises after employee falls for phishing scam
The Centre for Computer History, a museum based in Cambridge, has apologised after a member of staff fell victim to a phishing scam.
It recently revealed that an email address used to book tickets from its website received a scam email that claimed to be from HSBC. After compromising the organisation’s customer datafile, the attackers were able to access names, addresses, email addresses, product that customers bought and events that visitors attended.
“Our investigation has revealed that our online customer datafile has been compromised and the email addresses contained within are now in the hands of spammers,” said the organisation’s CEO, Jason Fitzpatrick, in a letter to visitors.
The Centre called the incident “embarrassing” but confirmed that no payment card information was exposed.
“We take security and your data extremely seriously, but sadly no online system can claim to be 100 per cent secure and we have been caught out. However, we have immediately made updates to our security system and blocked the way in which the data was accessed,” Fitzpatrick added.
The ICO (Information Commissioner’s Office) was notified of the incident and is expected to investigate for potential regulatory violations.
Next Level Apparel notifies patients of phishing attack
The US-based retailer Next Level Apparel announced last month that it had fallen victim to a phishing scam that compromised an array of sensitive details.
Customers’ names, Social Security numbers, financial account numbers, payment card details, driver’s licence numbers and health information were all compromised in the attack.
Although Next Level Apparel hasn’t confirmed how many people were affected by the incident, the sensitivity of the compromised data makes this a noteworthy incident regardless.
Notably, the breach demonstrates the dangers of processing extensive information without implementing additional safeguards. You would typically expect to see payment card details and health records either segregated in a database that’s available only to approved personnel, or else encrypted within the database.
Next Level Apparel said it has started posting letters to victims for whom they had address information. It has also set up a call centre to answer questions from anyone concerned about the incident.
Additionally, Next Level Apparel conducted an internal investigation, discovering that the fraudster had access to the data from 17 February 2021 to 28 April 2021.
Can you spot a scam?
Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.
This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.