After what seems like a lifetime of technology exposure, I still become saddened but not surprised when I hear about someone falling victim to a phishing attack. Most medium to large businesses, if not all, have invested heavily in employee awareness training as a means to improve their cybersecurity posture. Unfortunately, most companies still fall victim to cybercrime because human beings remain the weakest point in an organization's security. Many corporations have increased cybersecurity training and awareness, investing heavily into employee training over the past several years. However, even with massive training campaigns and billions of dollars spent on training and awareness, human beings and their behavior still prove to be the weakest link in a business's security.
Throughout December 2021, nearly 500 customers of OCBC Bank fell victim to a successfully executed SMS phishing attack. This attack caused a loss of $8.5 Million for bank customers. The campaign started by sending spoofed text messages impersonating OCBC Bank, informing bank customers, "they must conduct an account security check immediately. Otherwise, the account will be locked. Please Browse" The SMS included a link after the words "Please Browse," Suggesting that users click that link to perform the security check required to unlock their bank account. After the user clicks the link, the victims would be directed to a spoofed bank website login page where they would unknowingly and inadvertently hand over the keys to their financial kingdom. The customers would find out they had been scammed once they received notification of unauthorized transactions being charged to their account. The amounts stolen from each customer varied between $3000 and $500,000. The loss the victims incurred is tragic, even more so given the magnitude and timing of the attack. Many families could not celebrate Christmas or see loved ones as a result. In addition, the local police investigating stated, "It's challenging and difficult" to recover the funds once they've been "fraudulently transferred out of the victim's bank account," Which means many of the victims and their families will never see those funds again.
SMS Phishing is not new, novel, or emerging. It has not been as widely used as email phishing, for example. Many bad actors will send a lower-level employee a text message from someone claiming to be their CEO. Criminals use social media sites like LinkedIn to gather information on a business to find their ideal victims within a target company. Criminals can find employee contact data through a myriad of data sources. If you've ever posted a resume online, some of your contact data is probably available publicly. Regardless of title or seniority, every employee is a target for these types of attacks.
Here is an example of a standard SMS phishing attack where a bad actor aka cybercriminal impersonates the company CEO to get a lower-level employee to buy gift cards:
Criminal - "Hi Claire, it's Susan Peppers (let's pretend Claire knows exactly who Susan Peppers is)."
Claire- "Hi Susan, what a surprise!" Criminal- "Claire, I need your help with something significant. Are you able to help me?"
Claire-" Of course! Let me know what it is, and I'll make it happen for you, Susan!"
Criminal- "Perfect! I knew I could count on you, Claire!"
Criminal- "I'm already running late for an essential business dinner, and I forgot the gift cards I promised to donate."
Criminal- "So, I need you to go get me three gift cards ASAP so I can keep my word."
Claire- "Sure! I can do that. Should I use my corporate credit card?"
Criminal- "Of course, you can use your company card for this!"
Claire- "How much money do you want on each gift card?"
Criminal- "The gift cards need to be valued at $500 each."
Claire- "I'm so sorry, Susan, I'm not authorized for that much. Would one $500 card and two $100 cards work?"
Criminal- "This disappoints me, Claire, but I'm out of time already. So if that is the best you can do, then it will have to work."
Claire goes to the store and buys $700 in gift cards.
Claire- "Hi Susan, as you requested, here are the three gift cards you requested…."
Claire proceeds to send the card information to the criminal and feels she has come to her CEO's rescue. Claire just knew she was earning herself some recognition and praise. Unfortunately for Claire, she would only be aware of her misfortune after submitting her expense report. Unfortunately, she is embarrassed and has allowed herself and her company to fall victim to cybercrime.
Other standard SMS phishing attacks:
- IRS is trying to contact you
- You've Won something
- Pending Refunds
- Verify your banking info
- You've got a delivery
- Verify your Apple/Google Account Info
- Coinbase/Crypto confirmation
SMS Phishing has grown in popularity with cyber criminals over the last few years. However, email phishing remains the most common and most successful attack vector impacting businesses. Phishing attacks continue to rise for both email and SMS, even with improved SPAM filters, mock phishing campaigns, and employee training. Businesses continue to fall victim as a result of human error. Soon, technology may have the ability to intervene, reducing if not preventing these types of attacks. For now and the foreseeable future human beings will continue to be the weakest link in an organization's cybersecurity posture.
Have trouble convincing the boardroom they should invest in cybersecurity? Our short guide has excellent tips for your next conference.
Turkey, pies, being thankful for those around us - what could possibly go wrong? Quite a lot, actually.