Phishing Attacks in the Technology Industry

October 19, 2017 by Stephen Moramarco

The technology industry is always in the crosshairs of criminal enterprises – be it a vast network of thieves or a lone hacker. The sector, comprised of Fortune 500 companies as well as garage-based startups, creates innovations intended to advance society such as computers, smartphones, robots, and even the (eventual?) flying car. The rogue groups or individuals seek to exploit vulnerabilities in technology software or hardware for their own use or, possibly, a foreign government.

Why Target Technology?

Attacking tech companies, at least for the criminal, has certain advantages. A breach at a major technology company is sure to make headlines as well as reap rewards of personal data, proprietary information, and possibly money.

Startups particularly stand out as vulnerable targets because of their inexperience and large amounts of information and/or capital. The hyper-driven pace that many of these companies operate at often compounds the chance for an employee making a mistake and clicking on a link or sending out secret information when they shouldn’t have.

Targeting technology can also lead to thieves or spies stealing for governments or competitors. In 2014, the US Government accused China of hacking into Fortune 100 companies, stealing everything from solar and nuclear power technology to business strategy; they claimed the ruse had been going on undetected for a decade.

How is the Technology Industry Targeted?

Attackers attempt breaches up and down the line, from user accounts to CEO communications. Many times, these attacks are targeted at specific people, a tactic called spear phishing; hackers take information gleaned from social media to pretend they are someone else. Posing as another employee, or perhaps as the CEO, the thief will use it to ask for things like usernames or passwords.

Lately, spear phishing attacks have taken a new twist, asking for documents to be sent to them instead of breaking in. A popular tactic around tax time has been to pose as a CEO and ask for employee W-2s to be forwarded to them.

That’s what happened in 2016 to Snapchat, the popular communications/social media app. Someone posing as CEO Evan Spiegel emailed an employee in the payroll department and made the W-2 request. The employee, not carefully checking the email address, forwarded information that included Social Security numbers and stock holdings.

In 2017, the FBI disclosed that two multinational technology companies (later discovered to be Facebook and Google) had been scammed out of more $100 million dollars by a Lithuanian man named Evaldas Rimasauskas who used simple email tactics to defraud.

Rimasauskas targeted the two companies and, impersonating a vendor that did business with them, invoiced the tech titans via email, along with instructions to wire the money to various bank accounts. Attached to the emails were realistic looking invoices complete with company signatures. Over a period of two years he worked this scam, and it was only discovered by one of the banks involved the transactions. (Rimasauskas was arrested in Lithuania and they say most of the money has been recovered.)

Our realistic Dropbox file invite can fool someone who clicks before reading; clicking the link titled “Report Phishing” will net the user a congratulations for security savvy.

The Keys to Preventing Scams

Some technology companies like to think of themselves as special when it comes to security and it’s often the biggest that are the most lax. It’s because in their rush to innovate or “disrupt,” they forget the very basic steps needed to prevent security breaches.

The number one rule is: educate your employees. This means everyone from the CEO down to the interns, i.e. everyone that has email and access to the company network, should be enrolled in a program that will make sure they are aware of the dangers of phishing.

To this purpose, InfoSec Institute has developed a platform called SecurityIQ, which contains essential learning components in two separate branches.

The first is called AwareEd and is an automated application that allows you to enroll, administer, and monitor your employees as they take a series of courses designed to teach them about the dangers of phishing/hacking.

These courses have a series of modules that cover everything from password security to malware; the modules include informative videos as well as short quizzes to make sure the material is being understood.

AwareEd has pre-configured courses designed for specific groups within your technology company such as management or telecommuters, but new courses can be easily created by the administrator. Additionally, if you have learning materials specific to your organization, they can be uploaded and easily integrated into the AwareEd program.

Once you’ve created or selected courses, your employees are automatically sent emails with enrollment instructions (you control the date and time); reminders will also be sent. Once they’ve enrolled, you can monitor their progress in the dashboard. Those that complete the course can be given an award or some kind of recognition, and those that don’t pass can be required to take further training.

The other branch is PhishSim, which is a phishing simulation program. This is designed to help you see if your employees are truly as vigilant as they say they are. You can use a variety of phishing email templates (such as password reset requests or account suspension notices) or create your own “phishing” message. These emails can be used in conjunction with PhishSIM data entry templates, which can mimic login pages. It’s best to assemble a variety of phishing templates and data entry pages (called a battery) and send out over a period of days or weeks (called a campaign).

Then, keep an eye on the PhishSim dashboard – those unwitting employees that click on the link or fill out the form will be directed to a special education page that will alert them of their mistake (this page is also completely customizable). From there, they can be instructed to take or repeat AwareEd courses.

PhishSim is also a tool that can be used to protect. Your employees that spot real world phishing attempts can be instructed to send them to the Quarantine, where they can be reviewed by your incident response team.

SecurityIQ is constantly upgrading PhishSim and AwareEd with new learning modules, phishing templates, and more. Recently, we’ve added an analytics section to help you further understand who is falling for phishing emails and why.

InfoSec Institute is one of the top security companies in the world dedicated to training and certification. We are confident your technology company will be more resilient against hackers if you use SecurityIQ, and right now we are offering a free 30-day Premium Account with unlimited courses and campaigns. Sign up today!


Posted: October 19, 2017
Stephen Moramarco
View Profile

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.