Phishing Scams 2023 – Q4 Updated
In 2023 we have seen a huge increase in advanced scams that are very difficult for anyone to identify.
Around 80% of companies have been hit by scams in the last month.
Many have lost tens of thousands of pounds and others have lost intellectual property, had data encrypted by ransomware and lost reputation with their clients.
Everyone needs to take this very seriously – nobody is immune to this and it affects the single person working from home – right through to the largest businesses with all the security measures in place.
No amount of web protection software, firewall or anti-virus solution is going to block everything as it is often from people you know who have had their accounts breached or spoofed.
The best way to not get stung is to be aware of what is possible and to install the best possible security solutions that will at least help towards mitigating the problem.
Reasons you may be scammed or hacked can vary. Often it is a case of random attack, usually because someone else you know leaked your details when they had their contact details stolen through another hack.
Sometimes it is because one of the many websites you signed up to in the past has been hacked and your personal details have been used from this leak of data to attack you or your company.
And more frequently now, you may be a victim of a targeted attack when the hackers will spend days or months gathering data and profiling you or your business for a high pay out attack via email phishing, ransomware, undetectable malware with remote access or data theft.
The aim for the most basic of any of these attacks is to gain access to your email account which has plenty of good reading, learning all about you, your contacts and ways to target you.
With email access they can reset any other website account, place orders, transfer money, change details, delete all cloud storage and backups, remotely wipe your phone, damage your reputation, access social media, threaten the release of personal information or photos and a lot more.
The next generation of attacks are already starting where they have cloned your voice and use that to phone someone or leave a voicemail sounding exactly like you. Threatening the safety of another person or family member, asking for money to be transferred or invoices paid or confirming something the scammers sent via email. Besides companies, this is being used against the elderly who may not be aware that something like this is possible.
Here are some real life examples taken from the past few weeks. Each one of these affected multiple companies all in the same or very similar style.
Real World Example 1
Inbound email from owner/director to staff/accounts asking if they are busy or if they could check what time the bank will close or what time the cut off for EFT faster payments is.
These inbound emails are always tagged with correct full names, email address can even be exactly correct or have one character difference in the domain name but most importantly formatted and written in a way you would expect from this person with email signatures in place.
Then a few more general questions may pass (building confidence) asking either random questions or asking for a bank balance check.
They will then mention there is a large purchase, a new supplier or something important that needs to be paid.
Finally they will ask to make an EFT faster payment to this new company often near close of day to rush things through without question.
Details in this final email will include: Company name, bank, account number, sort code, company address and even more details.
The value for this type of scam used to be a few hundred pounds but they now seem to know (either by literally asking or guessing) what the company is likely to pay out and will go with a huge amount in the tens of thousands.
Banks can sometimes even call to verify the payment and even then it will get approved as the person making the payment didn’t realise the entire process was a scam.
In an even more advanced version of this, the scammers will call the company and check when the owner/director is likely to be busy or uncontactable and use that time to run this operation.
Real World Example 2
You get a call from the bank/amazon/trading company/online shop/airline/phone/internet/email company and they say they have a security concern/fraud transaction/payment problem/some random issue with your account or just want to verify a transaction.
They don’t need to ask you any personal questions as they already have your name, email and phone number (or company details). So they will be very personal and usually be of British or American accent. No longer do they call with foreign accents or noisy backgrounds.
The tone will be casual and they will say that in order to give you the details of the incident/issue/fraud/payment problem they will need to send a 4/6 digit PIN to your phone to verify you.
You say, sure and you read the PIN out to them to assure them its really you.
But what is happening in the background is that they are logging into your account which is locked with 2FA/MFA or SMS/Text PIN for extra security and you have just given them the PIN over the phone, allowing them access to your account in real time.
They then use the account to transfer/steal money, book tickets, buy things, open other accounts, buy/steal bitcoins, buy items for delivery world wide and sometimes just to intercept emails for additional future damage.
They can even change the email address on the account to a new email and then even if you try to recover your account, it becomes very difficult.
Real World Example 3
Incoming email from a company or someone you know. Everything is exactly as you would expect. Same email address, same email format and nothing suspect at all.
Typically a third party you know has their email account compromised and they are emailing out from that account.
The email will often be targeted towards something that is actually happening in the real world. So you may be due to make a payment for a purchase/invoice with this other company.
They will say they have changed banks for some reason and that the invoice you are due to pay should really go to the new account otherwise it may not be cleared if it goes to the old account.
Each one of these is specially crafted in such a way that it really does not seem suspect at all.
Sometimes they will request a small test payment to ensure that the new details are correct, so that you don’t pay the wrong account.
Then you will typically be expected to pay an outstanding invoice or something that was due to be paid for the full amount via EFT.
Of course at this point the money is gone and you will only find out later when the real company wonders where their money is and you didn’t get your goods.
Real World Example 4
Password phishing via email. They really want your email login details to monitor, download, read, target people you know, copy contacts lists and send emails from your account.
Typically you will get an email that looks exactly like it should and once again not from a suspect email address except they may have changed a character in the email address domain name.
Changes are typically something like these examples that are all fake but you didn’t notice : email@amazom.com @amozon.com @amasom.com @amazon.eu.com @amazoneu.com @amazonu.com @amazon.co.eu
Here are some email examples – all designed to steal your login credentials to your email/365/windows login or some other important account.
Microsoft – Your email password is due to expire. Click here to reset or click here to keep.
Amazon – Your prime account payment has failed. Click here to amend your details.
DocuSign – We received a document for you to review and sign. Click here.
Google – X sent you a file share. Click here to view the files.
OneDrive – Internal document share from X (real person you know). Click here to view the files.
Outlook – Your email account is over its size limit. Click here to increase your email capacity.
Most of the time its from a service you know and trust. The emails are copies of the real emails used with just the link being a trap.
Having 2FA/MFA verification helps but the new version of these scams includes a method that you will need to enter your 2FA/MFA code and it authorises this in real time giving the scammers full access to that account.
Just one employee in a business doing this can cascade into the entire company being infected through file sharing or leaking email information for them to use.
Real World Example 5
You need support from a company that uses something like Twitter/Web Chat because their phone lines are always busy – like British Airways for example.
On twitter you find the golden British Airways certified account because you are smart and you ask for assistance. So far so good.
You get a response and they say how sorry they are and would really like to call you in order to resolve the issue.
So you PM them your phone number and wait for a call.
Next thing you get a call from a British sounding person who sympathises with you and says they will help to fix everything.
In order to refund your ticket/lost baggage/late departure – just give us you full name, address, etc.. okay great you are verified as that matches their details.
Now to refund that ticket/etc.. – please provide the card number you paid with at the time of booking. Plus expiry and ccv. Thanks!
All good, you will be getting that refund very shortly! The next day you realise that your card account has been drained of everything.
The trick was that British Airways didn’t respond to the support request, an account with 1 character difference was used by the scammers and it looked exactly the same as the original unless you paid really close attention.
This method is extremely popular right now and nobody can do anything about it.
Hopefully that will give you an idea of just some of the scams currently running.
That does not include ransomware, which is still rife and typically found on movie websites, scam emails, targeted attacks on businesses and file shares.
Real World Example 6
You get a call from the bank who are concerned about a large or unusual transfer to or from your bank account.
They convince you that its urgent as you could be a victim of a scam.
You will need to log into your bank account on your computer and follow their instructions.
From this point there are a few different techniques that are used.
Some scammers get you to visit a fake version of the banks website and will either steal your login details in real time with the 2FA security code or get you to engage in a web chat on the fake website or get you to install legitimate remote access software but under the disguise of assistance or security application. Sometimes antivirus will block these actions but they will tell you its a false positive and just to ignore that nonsense.
Once you are into the account, they will convince you to move your money to a safe account or do something that allows them to take control of your system at which point you may or may not even be aware of what is happening in the background. They also sometimes drop files onto your computer so that they can remotely access or spy on the system in the future.
At this point they will most likely have taken almost all of the money out of the account via bank transfer which is difficult to stop or return and the bank usually does not compensate for these actions as you allowed it.
Advisories
- Never make a new bank/card payment without calling the person/director/owner and talking to them. You should recognise their voice.
- Never call phone numbers included inside emails. Use a fresh new Google search (not Bing) and don’t click any adverts by accident. Then call and verify.
- Don’t trust any email that needs to be clicked on to open something. If you do and it opens a login page for your 365/gmail/files/onedrive/dropbox etc.. never enter the details.
- Don’t trust messaging systems that are tied to email accounts – like Teams because if the email account is compromised they will use the same tricks as above but via Teams.
- Never use the same password twice. And make sure its not a dictionary word with 2 or 4 digits at the end. Typical bad examples: Jonny1985 or J0nny23! – Use 12+ letters but not a word.
- If called by someone claiming to be the bank or other institution claiming they need you to do something for any reason including fraud then always call back by getting the correct phone number via their website and not from an email or phone call.
- Never install any software or links or open chat boxes when instructed to by anyone online. Use extreme caution with remote access software.
- Don’t respond to any spam emails even to unsubscribe or engage in anyway. Emails claiming SEO 1st page on Google, Google advertising management or other marketing solutions are always scams. As are low cost, buy now, cheap offers, time limited and other techniques often received via email or via ads on Twitter, Facebook and other social media.
- Trust voice phone calls to numbers you dial out to. Don’t trust inbound numbers as they can be faked to look like a number you know.
- Trust the only secure messaging app – Signal by Signal Messenger LLC.
- WhatsApp can be safe but it can also be side loaded onto a PC anywhere in the world making it unsafe on occasion.
- Always use 2FA/MFA on every account possible. Its not perfect but it helps a lot as long as you don’t give the code to someone.
- When installing 2FA/MFA/Microsoft Authenticator – Do not install one of the million scam apps that looks similar. Make sure its the right one otherwise you will be scammed through this.
- Make sure you trust your IT provider. Companies with high staff turn over can have rogue staff that harvest details and sell them on the dark web.
Technical Mitigation
Network – Use a router with IDS/IPS (Ubiquiti/PFSense(Suricata)/Fortinet) [£400 to £2000 for the router/firewall plus an optional monthly fee of £90 to £400 per month for the business editions that offers daily updates]
Network* – Enforce a DNS filter like NextDNS [+-£20p/m] on the entire network or by using PiHole with upstream DNS protection and local rules or via a firewall like PFSense/Fortinet system.
Server/Cloud* – On platforms like Microsoft 365 – consider adding “Microsoft 365 Defender for Office Plan 2” to Business Standard for an extra £5p/m/user which has advanced blocking of phishing style attacks via email and overall better protection or upgrade Business Standard to “Microsoft 365 Premium” for £20/p/m/user with Defender included.
Device* – Install anti-virus/anti-malware solution on all devices, make sure it covers ransomware, phishing, mobile protection and true in-browser protection with DNS filtering. We recommend Malwarebytes end point protection for business. [£5 to £6 per device p/m]
Backup – Ensure there is a 3rd party backup of all cloud data. Cloud platforms can be wiped clean if the attacker is malicious. These types of backups are now quite expensive but recommended.
Compromised systems – If a system is compromised in any way via remote access or any software download – consider that malware or RAT remote trojans can be dropped on the system that are completely customised and undetectable by any anti-virus system. A system that has been hit with Ransomware should follow the process of RAM snapshot via software (Belkasoft RAM Capture) or hibernation to preserve the decryption key before shutting down. Network drives should also be checked along with cloud storage and all passwords should be changed along with 2FA.
Training – Ensure staff are trained about the latest treats and reminding of the risks every 1 to 2 months through an organised training session where it is taken seriously.
* indicates essential first steps in mitigation.