Our bank details have changed...
Or maybe not? This could have been in an email from firstname.lastname@example.org (instead of email@example.com). And if you had not paid attention, all your payments to us would have gone to the bank account of a fraudster.
Think it will never happen to you? These so-called phishing e-mails happen more often than you think. According to a recent report from Europol's European Cybercrime Centre, (spear) phishing occurs in almost two thirds of all cyber security incidents.
Phishing is a form of online fraud in which the fraudster deceives a victim by means of official-looking e-mails and/or websites, which usually "angle" for login data or payment card data. An interesting fact is that the term phishing is a composition of fishing (angling) and phreak (phone + freak: hacker of telephone exchanges).
The following types of phishing also affect SMEs
In the case of bank phishing, a fraudulent sender tries to trick you into sharing your personal, financial or security information. Think of bank accounts, card numbers and PIN codes. By copying the logos and layout of real e-mails and using compelling language and/or deadlines, fraudsters try to convince you to download an attachment or click on a link. The attachments often contain malware, while the links often lead to a fraudulent copy of an official website (e.g. e‑banking). In both ways, the fraudster tries to steal your login data. You can find an example here
In the case of Business Email Compromise (BEC), also known as CEO fraud an employee who is authorised to make payments is misled into paying a counterfeit invoice. Or an e-mail purporting to be from the CEO asks you to transfer your business account to the account of a fraudster. You can find an example here
In the case of invoice fraud, someone pretends to be your supplier, service provider or creditor and either sends a counterfeit invoice or asks for the bank details of a known beneficiary to be adjusted so that payments for future invoices arrive at the fraudster's account. You can find an example here
In the case of smishing (SMS + phishing), fraudsters send you a text with a link to a fake website. In the case of vishing
(voice + phishing), they even call you in an attempt to retrieve personal, financial or security data, or to transfer money to them. You can find an example here
The above examples prove once again that the human link remains a worthwhile target for cyber criminals. Security awareness training (resilience training) for all employees (including management) remains important but needs a remake that makes the whole thing more attractive and clearer than the old greyscale PowerPoint presentations.
For resilience training including phishing testing, more info and further questions about phishing or cybersecurity in general, you can always contact Vandelanotte Security & Privacy via firstname.lastname@example.org. We will discuss your questions or concerns with you and propose a personalised range of services.
We base our advice on current legislation, interpretations and legal doctrine. This does not prevent the administration from being able to challenge it or to change existing interpretations.