16 business email/mobile phishing tricks to be aware of in 2019
Introduction
It’s hard enough running a business without a cybercriminal trying to ruin it. According to PWC, in 2018, 49% of organizations across the world have been a victim of fraud and economic crime; this is up from 36% in 2017.
Business email and now mobile messaging apps are a mainstay of communications and a conduit for business phishing tricks. Fraudulent phishing emails are a continuing issue that organizations need to be aware of, to reduce the impact of cybercrime on their bottom line.
See Infosec IQ in action
Here are 16 of these phishing tricks to watch out for in 2019.
1. Business Email Compromise (BEC)
The U.S. Treasury Department’s July 2019 report found that BEC costs U.S. companies around $300 million per month. Business Email Compromise uses social engineering, including spearphishing emails and surveillance of a company and employees. The scammer will often impersonate a company executive such as a CEO. The result is usually the transfer of money, sometimes millions of dollars.
2. Fake billing scams
During 2018, Australian companies lost over AUD 5 million due to fake billing scams. The scam tends to target smaller businesses. The fraudsters con a company into paying for spoof services. The scam works by sending an invitation, via email, to renew a company web domain or to list in a trade magazine.
Scammers focus on the administration department, as they are less likely to be aware of business activities and hopefully (for the scammer) pay the “bill.”
3. Office 365 scams
Microsoft Office 365 is a popular tool for businesses. Therefore, it is also popular with cybercriminals.
A recent report by VadeSecure found that Office 365 was the number one brand for phishing for login credentials. The scam uses the usual tricks of the phishing trade, links to a fake Microsoft Office 365 login page within a phishing email that then harvests the login username and password to hijack an account.
4. Virtual office voicemail scams
This scam targets businesses who use virtual offices that send out voicemail messages via email. The scam is in the form of an email with an attachment (the supposed voicemail). Attachment formats vary, but typically it will be an .HTML file.
If the recipient clicks on the attachment, it opens a spoofed form asking for some personal information and a password to access the voicemail. Once the data is entered, it will be sent to the cybercriminal behind the scam and used for account hijacking/resale purposes.
5. TrickBot/TrickBooster banking Trojan
Banking malware, such as Trojans, has increased by around 16% in 2018 according to Kaspersky. Banking Trojans infect computers to steal bank login credentials.
Trojans such as TrickBot specifically target business users and were the biggest banking threat to businesses in 2018, according to Malwarebytes. The Trojan is delivered via an email or SMiShing (text message phishing) campaign.
More recently, a new variant of TrickBot called TrickBooster has been used to harvest email credentials from around 250 million email accounts. The hijacked accounts are then used to propagate the malware.
6. Spearphishing scams
Targeted phishing campaigns or “spearphishing” continue to be a serious issue. Symantec found that over 71% of cyberattacks used spearphishing emails. This form of phishing typically targets privileged users, like system administrators, to obtain login credentials to sensitive resources like servers or databases.
7. Dropbox phishing
The Software-as-a-Service offering, Dropbox, is very popular amongst business users who use it to share and collaborate on company documentation. The global scale and capacity of Dropbox is massive, with around 500 billion pieces of content uploaded.
Scammers use email phishing tricks to attempt to harvest Dropbox credentials and steal accounts and documents. The emails link to spoof Dropbox login pages where, if a username and password are entered, they are sent directly to the cybercriminal behind the scam.
8. W2 tax scams
Tax season brings out the scammers in the form of W2 tax scams. The attack typically involves the fraudster creating a spoof email account that looks like a company executive. They will then send an email using this account to an employee in the HR department with an urgent request for past and present employees’ W2 details. These data are then used for resale or to propagate subsequent attacks.
9. Slack scams
Slack is a popular online collaboration tool for teams. Slack and similar online collaboration portals are increasingly seeing phishing scams based on the messaging system with the app.
In 2017 and 2018, a number of crypto-based phishing scams used Slack phishing as the conduit for the scam. In 2019, we may well see Slack and similar apps being used for other phishing purposes such as harvesting personal data or company information.
10. Mobile phishing threats
As mobile devices take root in company resource access, so phishing that is mobile-focused has come along for the ride. This is not surprising as mobile phishing (SMiShing) is successful; a survey by Lookout found that the click-through success rate for mobile phishing scams is 56%. Mobile phishing via text messages uses all the same tricks as its email counterpart.
11. Messaging apps
Organizations are turning to messaging apps such as WhatsApp to communicate on business matters. Increasingly, these messaging apps are also being used as conduits for phishing. The same sort of tricks are used as in the traditional phishing email, including urgency, spoof offers and so on. Clicking on a link in the message taking you to a spoof website page that steals data.
12. Travel phishing scams
Business travelers are a good target for fraudsters if you catch the traveler off-guard. Phishing emails contain details of a supposed recently booked trip with details in the attachment. If the attachment is opened, it may install malware onto the computer. In an age where many employees travel regularly, this sort of scam could easily work.
13. Google calendar scam
This Google-related phishing scam, discovered by Kaspersky, uses a Google Calendar option to place event invites in another user's calendar. The event pops up on the specified day/time with an offer to take a survey and claim a cash reward. The link in the calendar event goes to a website with a short survey where users are encouraged to enter credit card and personal details.
14. Invoice scam
The invoice scam typically targets accounts payable/finance departments. It is an unbranded phishing email scam which contains an image that is clearly an invoice. The .jpg image contains code that, when clicked, runs a banking Trojan install. The scam is a clever one, as it will be easy to dupe a busy department that receives many expense invoices contained in emails.
15. Sharing file phishing
To circumvent anti-phishing technology, fraudsters are now using the document sharing mechanisms that are part of common portals like Microsoft OneDrive or SharePoint. The phishing scam consists of an email with a link to a work-related document, hosted on such a portal. If the user clicks on the link, they will be taken to a spoof login page of the sharing portal; once credentials to the site are entered, they are stolen and used to hijack an account.
16. RFP Proposal scam
Small businesses are targeted by scammers with fake tender proposals. The email will contain either an RFP in PDF format or a link to download the proposal. The email will look like it has come from a legitimate company, even a partner organization if the fraudster has used surveillance. The result on opening the PDF is a potential malware infection.
Alternatively, if the link is used, the individual will be taken to a website requesting bank details to process the bid. These are then sent to the cybercriminal behind the scam.
Conclusion
As you can see from this list of 16 phishing scams that target businesses, variety is the spice of the cybercriminal’s life. The fraudster will use whatever mechanism is commonly used in the workplace to get their dangerous links or malware-ridden files onto a corporate network.
The best way to deal with the deluge of phishing mechanisms is to know the tricks of the trade. The conduits used to phish may be varied but the tricks are often the same. The best way to tackle this type of cybercrime is by having all employees security-aware.
See Infosec IQ in action
Sources
- PwC’s 2018 Global Economic Crime and Fraud Survey, PWC
- Financial Trend Analysis, FinCEN
- Number of users attacked by banking Trojans grew by 16% in 2018 reaching almost 900,000, Kaspersky
- TrickBot takes over as top business threat, Malwarebytes Labs
- TrickBooster – TrickBot’s Email-Based Infection Module, Deep Instinct
- Internet Security Threat Report Volume 23, Symantec
- 33 Staggering Dropbox Statistics and Facts (2019), DMR
- Cybercriminals Use Smartphone Calendars to Distribute Scam Offers, Kaspersky
- New variant of Zeus banking trojan concealed in JPG images, SC Magazine
In this Series
- 16 business email/mobile phishing tricks to be aware of in 2019
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
