After what seems like a lifetime of technology exposure, I still become saddened but not surprised when I hear about someone falling victim to a phishing attack. Most medium to large businesses, if not all, have invested heavily in employee awareness training as a means to improve their cybersecurity posture. Unfortunately, most companies still fall victim to cybercrime because human beings remain the weakest point in an organization's security. Many corporations have increased cybersecurity training and awareness, investing heavily into employee training over the past several years. However, even with massive training campaigns and billions of dollars spent on training and awareness, human beings and their behavior still prove to be the weakest link in a business's security.
Throughout December 2021, nearly 500 customers of OCBC Bank fell victim to a successfully executed SMS phishing attack. This attack caused a loss of $8.5 Million for bank customers. The campaign started by sending spoofed text messages impersonating OCBC Bank, informing bank customers, "they must conduct an account security check immediately. Otherwise, the account will be locked. Please Browse" The SMS included a link after the words "Please Browse," Suggesting that users click that link to perform the security check required to unlock their bank account. After the user clicks the link, the victims would be directed to a spoofed bank website login page where they would unknowingly and inadvertently hand over the keys to their financial kingdom. The customers would find out they had been scammed once they received notification of unauthorized transactions being charged to their account. The amounts stolen from each customer varied between $3000 and $500,000. The loss the victims incurred is tragic, even more so given the magnitude and timing of the attack. Many families could not celebrate Christmas or see loved ones as a result. In addition, the local police investigating stated, "It's challenging and difficult" to recover the funds once they've been "fraudulently transferred out of the victim's bank account," Which means many of the victims and their families will never see those funds again.
SMS Phishing is not new, novel, or emerging. It has not been as widely used as email phishing, for example. Many bad actors will send a lower-level employee a text message from someone claiming to be their CEO. Criminals use social media sites like LinkedIn to gather information on a business to find their ideal victims within a target company. Criminals can find employee contact data through a myriad of data sources. If you've ever posted a resume online, some of your contact data is probably available publicly. Regardless of title or seniority, every employee is a target for these types of attacks.
Here is an example of a standard SMS phishing attack where a bad actor aka cybercriminal impersonates the company CEO to get a lower-level employee to buy gift cards:
Criminal - "Hi Claire, it's Susan Peppers (let's pretend Claire knows exactly who Susan Peppers is)."
Claire- "Hi Susan, what a surprise!" Criminal- "Claire, I need your help with something significant. Are you able to help me?"
Claire-" Of course! Let me know what it is, and I'll make it happen for you, Susan!"
Criminal- "Perfect! I knew I could count on you, Claire!"
Criminal- "I'm already running late for an essential business dinner, and I forgot the gift cards I promised to donate."
Criminal- "So, I need you to go get me three gift cards ASAP so I can keep my word."
Claire- "Sure! I can do that. Should I use my corporate credit card?"
Criminal- "Of course, you can use your company card for this!"
Claire- "How much money do you want on each gift card?"
Criminal- "The gift cards need to be valued at $500 each."
Claire- "I'm so sorry, Susan, I'm not authorized for that much. Would one $500 card and two $100 cards work?"
Criminal- "This disappoints me, Claire, but I'm out of time already. So if that is the best you can do, then it will have to work."
Claire goes to the store and buys $700 in gift cards.
Claire- "Hi Susan, as you requested, here are the three gift cards you requested…."
Claire proceeds to send the card information to the criminal and feels she has come to her CEO's rescue. Claire just knew she was earning herself some recognition and praise. Unfortunately for Claire, she would only be aware of her misfortune after submitting her expense report. Unfortunately, she is embarrassed and has allowed herself and her company to fall victim to cybercrime.
Other standard SMS phishing attacks:
- IRS is trying to contact you
- You've Won something
- Pending Refunds
- Verify your banking info
- You've got a delivery
- Verify your Apple/Google Account Info
- Coinbase/Crypto confirmation
SMS Phishing has grown in popularity with cyber criminals over the last few years. However, email phishing remains the most common and most successful attack vector impacting businesses. Phishing attacks continue to rise for both email and SMS, even with improved SPAM filters, mock phishing campaigns, and employee training. Businesses continue to fall victim as a result of human error. Soon, technology may have the ability to intervene, reducing if not preventing these types of attacks. For now and the foreseeable future human beings will continue to be the weakest link in an organization's cybersecurity posture.
On average, it takes 100 days for ransomware or malware to be detected with traditional network security systems due to their inadequate visibility and limited ability to analyze advanced threats. A lot of damage can occur over 100 days. Due to the advanced programming of EDR, the 100-day average of detecting ransomware or malware drastically drops to just a matter of hours or even minutes.
iTecs is your IT solution for your business’s remote and onsite managed IT service needs. iTecs has the expertise to guide and consult with businesses regarding which technology and services are necessary to run quickly and efficiently. After consulting with you on the technology needs of your business, iTecs will procure and employ the programs, then monitor and provide maintenance, such as patch management and updates, and be on top of any issue within the system if it were to occur. It should not be the responsibility of your business to be an expert in IT. Instead of worrying about becoming the best in IT to protect your business, gain peace of mind by outsourcing your IT needs to the best MSP by partnering with iTecs. We do what we do best, so you can focus on being the best in your industry and taking your business to the next level.
Next-Generation Firewalls (NGFWs) offer additional benefits and an increased level of protection for business organizations. Managed Security Service Providers (MSSPs) are cybersecurity and firewall experts, which allows them to assess your business organizations needs for the size of the NGFW that will work best to protect your network.