Phishing to take a bite out of your bank account

From Senior Constable Steve Smith, Mackay Police

A concerning new cyber-crime trend is affecting Mackay businesses – costing some of you lots of money. This trend has two names – “spear phishing” and “whaling”. Before we talk about what these two names mean, we need to understand something else.

Here is the something else – phishing. Heard of it? I would imagine the majority of you have. Phishing occurs when a cyber-criminal mimics a well-known organisation in an email or text message, the content of the message persuades you to open a malware infected link or attachment, or provide sensitive and personal information to the criminal. For example, an email from your financial institution asking you to update your personal particulars. Importantly with phishing though, the message is not specifically targeted at you! Your email address has just been roped in with probably another 10,000 others.

“Spear phishing” or “whaling” is different – and much more concerning. It’s here in Mackay and you need to know how it works. In contrast to phishing, which does not target a specific victim, spear phishing (let’s just call it that from now on) is used to target specific individuals in an organisation. Who might it be used against? Mid-level managers, finance officers, IT personnel... generally speaking, it is used to target those with access to money/information or admin level access!

The cyber-criminal will examine the structure of an organisation to work out who sits where (not a difficult process), then they snatch your logos, contact details, signature blocks... whatever is needed to allow them to construct an email message. Typically, they will put together an email pretending to be from a senior person in your organisation, directed to a more junior individual who works in one of the roles mentioned above. By penning a fake email from my supervisor (Sgt Nigel Dalton) to me, I can show you a typical example of how a spear phishing message might read:

ND – Steve could you take $15,000 out of the road safety campaign account and transfer it to XXXX account please? This needs to be done today urgently.

With spear phishing attacks, messages are short and there is inferred urgency. The attempts to mimic a genuine email structure (logos and all) from the criminal will be sometimes be accurate. But, hover your mouse over the sender’s details in the email, and you could be in for a shock. Rather than seeing the sender’s genuine organisation details, you will see a random off-shore email address.

Businesses large, small and family owned are advising us of recent incidents of spear phishing in our district. Some of these have resulted in the costly loss of money – others were identified as false requests very early by checking the sender’s details.

In either case – law enforcement needs to know what is happening. Report any incident of spear phishing to the Australian Cybercrime Online Reporting Network (known as ACORN) Don’t give the criminals a free hit!

Take care out there.