Cyber Criminals…They’re Still Smarter Than You

By Kelsey Neisen

In 2017, it is assumed nearly everyone who uses a computer understands the purported common sense steps of cyber security and protecting their sensitive data. Install anti-virus software on your computer. Don’t click on the suspicious link in that email. Don’t send sensitive data such as social security numbers and birth dates via email. Change your passwords for online accounts every few months. And, no, you will not automatically receive a $260 gift card to Wal-Mart for answering some survey questions and supplying your name, email, phone number, and address to a website with flashing dollar signs.

Yet, some of us still fall victim to these simple, yet effective scams. A prince wishes to liberate his trapped money from the Central Bank of Nigeria and give the you a cut of the fortune, if only the you will pay the fees and taxes. For a $3,000 processing fee, you can receive millions from a lottery you never entered. With just your computer, you can make millions, but you have to disclose your PayPal account details to start receiving those big payouts!

As a banker, perhaps you have met with shaken victims of these types of crimes. Maybe you have been forced to explain to an elderly customer that they have not won the lottery, and the money they sent in to pay the “distribution fees” is gone. Perhaps you have had to tell a young, financially strapped customer excited about their first well-paying job as a “personal assistant” that the Western Union from their employer they deposited in their account and then transferred to another foreign account was not legitimate, and they are now liable for the lost money and under investigation for money laundering.

The most widespread online scam, though, is phishing. Criminals trick victims into divulging anything from login credentials for their social media pages to their Social Security Number or bank account information. Most often, the criminals trick their victims by claiming their account was hacked and directing them to a fake website where they will innocently enter their information. They won’t know anything is amiss until they find strange activity on their social media pages or a couple hundred dollars missing from their bank account.

This method of phishing is quickly becoming more effort than profit for criminals. Fewer victims respond to the emails, and anti-virus software often blocks the phony website or thwarts the installation of malware. So, like we have so often witnessed in the world of cybersecurity, the criminals must adapt, and they’ve adapted very well.

Instead of sending mass emails out and hoping just a few victims will respond, criminals now target a specific victim to obtain mass amounts of sensitive, personal information. First, criminals research a company and choose a victim from that company’s human resources or payroll department. Next, the criminal will send an email to their target that appears to be from a company executive requesting sensitive documents, such as their employees’ W-2 forms.

Sounds way too simple, right? How could anybody with access to that type of sensitive information not know the difference between a spoofed email and a legitimate email from their own company’s executives? Well, according to a compilation of cyber breaches listed on websites such as the Identity Theft Resource Center and Privacy Rights Clearinghouse, criminals have succeeded in obtaining personally identifiable information (PII) using phishing techniques approximately 106 times since January 1, 2017 to the time of this article’s creation on March 23, 2017. Over 51,000 individuals’ records have been breached, and many breach events listed “Unknown” beneath their “Number of Records Breached” section.

Do the math. That means someone is falling for this simple scam nearly every day.

So how are the criminals making this look so easy? For one thing, if you look up “how to spoof an email” on Google, you come with plenty of disturbing results. I am a person of average computer skills, but I found a very nice WikiHow tutorial (fourth option down, by the way) that I easily could have followed and achieved the desired results. But let’s just assume that our criminals already know how do this, and do it well enough to get past spam filters.

Next, I’m going to pick my target. I decided to look for a mid-sized company, one that was large enough so it wasn’t likely the human resources or payroll employees regularly spoke with their executives. I settled on a school district with approximately 3,000 employees and multiple buildings. Then I found a convenient “Staff Directory” link on the school district’s website which provided search fields for employees’ last name, first name, the building they worked at, or their position. I typed “Payroll” into the “Position” search field and clicked “Search.” I received two results, one for a Payroll Assistant, and one for a Payroll Manager, each with phone numbers, name, and the building in which they worked. The “Email” link brought me to a comments page that did not reveal their exact email addresses, but another quick Google search revealed that information.

I now have the receiver of the email. We’ll call him Mr. Bob. So, who should my disreputable email be from? Well, I thought the superintendent would be a good choice, so I looked that person up. We’ll call her Ms. Susie. Easy. Now, how to craft my email?

I needed to know how the emails from this company were formatted in order to create one that looked authentic and fool my victim. Obviously, I could not literally follow through with the final portion of my research, but if I were a criminal, I would email (using an email created especially for this purpose) a request for more information on open positions to one of the six Human Resources employees. I imagine I would receive a response within a couple of days, and now I know what my email should look like. A logo here, contact information there, Cambria 12-point text, and I’ve got it 

Lastly, I compose a request from Ms. Susie to Mr. Bob for all of the school district’s employees’ W-2 forms. I disguise the email’s address like Ms. Susie’s and send it off to Mr. Bob. If my ruse worked, I will receive the employees’ W-2 forms in a few hours, depending upon Mr. Bob’s promptness. If I receive the information I requested, I can sell the records on Black Market websites.

How long did this take me? About an hour to gather all the information I needed, including a few interruptions from my boss. It might take a day or two for a HR employee to respond to my bogus request for more information on open positions, and then another hour or so to format an email to look like it came from a legitimate source. If I’m an experienced criminal, disguising the email address will not take long at all.

For criminals, phishing is a simple, sound solution. This method of phishing, called “spear phishing,” is low-risk and has proven high-reward in recent months. Evidently, many businesses—schools, financial institutions, merchants, healthcare providers—find these fraudulent emails difficult to spot. So why does it matter to the banking industry, and how do we stop it?

It matters to bankers because, 1) You and your bank could easily become a victim and damage your reputation, and 2) Your customers may face identity theft if their PII is stolen by these scammers. The first step in battling these criminals is recognizing the problem. Here are a few simple tips that can help you and your customers avoid becoming a victim:

 

  1. Inform your staff and your customers! If they know about this new spear phishing scam, they are more likely to be suspicious of emails asking for PII and avoid aiding in an embarrassing breach.
  2. When in doubt, ask. If you or your staff receive an email from an executive requesting PII, pick up the phone and call that executive to make sure it was really them making the request.
  3. Make sure your spam filters are up-to-date and upgraded. It may not stop everything if you’re facing a talented con-artist, but it certainly helps!
  4. Consider limiting the contact information of some employees. If it is not necessary for their contact information to be publicly available, remove it. If criminals can’t access your employees, they can’t use them.

 

Recognize the red flags. Remain familiar with cyber criminal’s newest tactics. Protect yourself, protect your bank, and protect your customers.