How phishing scams are put into action

How phishing scams are put into action | Insurance Business

How phishing scams are put into action

Incidents of phishing attacks continue to rise and while law enforcement agencies and legislators attempt to quell online criminals at the source, the reality is that in most cases hackers remain one step ahead.

According to NAS Insurance’s analysis of 2017 claims, phishing remained the most common method of cyber crime. 62% of the cybercrime claims reported to NAS were caused by phishing.

“Phishing involves a criminal actor who fraudulently uses electronic communications, like email or a malicious website, to impersonate a business, a representative of the business, or its brand, products or services to steal private information or money,” says Jeremy Barnett, senior vice president of marketing at NAS Insurance. “The average loss for a claim caused by phishing was $96,270.”

To illustrate how phishing scams work Barnett gives the example of an unknown person who obtained corporate email credentials and began impersonating a company executive. The hacker then sent an email to the executive’s finance department asking for a wire transfer of approximately $50,000. Following regular protocol, the finance department responded with questions to confirm the request, such as how the request should be codified in the internal accounting system.

“The hacker used the executive’s email to respond and in the response referenced another expense - likely gleaned from reading the executive’s earlier emails - as an example of how to handle the transfer, which further appeared to legitimize the wire transfer request,” Barnett says. “The money was wired. The entire situation happened between 10:30am and 2:30pm on a Friday.”

Barnett also gives the example of a manufacturer of industrial products that purchased items from an existing supplier. A legitimate email from the normal point of contact at the supplier was sent to the manufacturer requesting payment for the items with wire transfer information in the email.

“Unfortunately, a hacker infiltrated the supplier’s email system and registered a domain very similar to the supplier’s, using three Es in the supplier’s name instead of two,” he says. “The hacker used the spoofed email account to send an email to the manufacturer posing as the normal point of contact at the supplier. In the email, the hacker asked the recipient to ignore the prior wire transfer instructions and provided new wire transfer information. The manufacturer did not notice the additional ‘E’ in the email address, and, believing the new wire instructions to be legitimate, wired $40,000 to the wrong account.”