Skip to main content

Phishing

By Ben Warriner

This is part 3 of 4 part series. We previously looked at what phishing is, how to identify it and the various types of phishing emails to be on the lookout for. In this installment we’re going to be discussing Business Email Compromise and Account Takeover Attacks. Stay tuned for more!

If we're talking about phishing, we also need to discuss Business Email Compromise (BEC). BEC attacks are carefully planned and researched attacks that impersonate an organizational executive, vendor, or supplier. 

Here is a brief explainer for BEC:

Top Phishing threats related to BEC:

  • Email account compromise. 
    This is a common type of BEC scam in which an employee's email account is hacked and used to request payments from vendors. 
    The money is then sent to attacker-controlled bank accounts.
  • Employee impersonation. 
    This type of BEC takes the form of an email scam, in which a bad actor impersonates a trusted internal employee or vendor to steal money or sensitive information through email.
  • VIP impersonation. 
    This type of attack occurs when a malicious actor sends an email to an unsuspecting victim, using a compromised email of a legitimate company, individual or VIP, asking for payment or funds transfer.
  • External payment fraud. 
    An email attack is sent to an unsuspecting victim impersonating trusted vendors for invoice payment requests. 
    It is also known as Vendor Email Compromise (VEC).
  • Internal payment fraud. 
    Using stolen credentials an attacker can gain access to internal payment systems such as payment platforms and set up fraudulent vendors, change payment recipients, or redirect payments to their accounts.
  • Payroll diversion fraud. 
    Using stolen email credentials, an attacker emails an organization's payroll or finance department requesting a change to direct-deposit information.
  • Social engineering. 
    Persuasion through psychology is used to gain a target's trust, causing them to lower their guard and take unsafe actions such as divulging personal information.
  • Extortion. 
    Threatening or intimidating action is used to obtain monetary or other financial gain, commonly used in vishing scams.
  • Malicious recon emails. 
    This looks like legitimate email communication but is an email sent by an attacker with the purpose of eliciting a response prior to extracting sensitive user or organizational data.
  • Credential phishing. 
    Bad actors steal login credentials by posing as a legitimate entity using emails and fake login pages. 
    The bad actor then uses the victim's stolen credentials to conduct a secondary attack or extract data.

Though, it doesn't stop there because we've also got Account Takeovers to worry about. In an Account Takeover the attackers try to gain access to cloud email, such as a Microsoft 365 email account. This method is simple and is becoming increasingly common. These phishing campaigns usually take the form of a fake email from Microsoft, for example. The email has a request to log in, saying the user needs to reset their password, hasn't logged in recently, or that there's a problem with the account that needs their attention. A URL is included, enticing the user to click to remedy the issue.

Here's a video explaining Account Takeovers:

The chain of events usually plays out like this:

The attacker sends a phishing email that appears to come from Microsoft or another trusted source. Then the user clicks on a link in the email, which brings them to a page mimicking the Office 365 login page.

 Example of phishing email

The user enters login credentials, which are scooped up by the attackers.

The fake page does nothing, says that the login is incorrect, or redirects the user to the real Office 365 login page.

Below are a fake and real Office 365 login page, can you spot the differences?

Example of phishing attempt on microsoft login

 

Example of phishing attempt on microsoft login

 

In Part 4 we’re going to cover what to do if you get a phishing email and what to do if you think you’ve been phished.

 

Check out Part 1, Part 2, and Part 4 of this series.

 

Region 7 ESC Blog, Benjamin Warriner Ben Warriner is a Network Security Specialist for Region 7 ESC and has been a Certified Information Security Manager® (CISM®) since 2019. He has worked at the ESC since 2009 and has been working on the cybersecurity of the ESC since 2014.
 
Published