Just how sophisticated are cyber criminals nowadays? With the amount of Wire Transfers going up yearly, criminals are spending more time and resources to get between your clients and their money.
It’s gotten to the point where even security professionals need a quick refresher. Here’s a handy list of some of the most common tactics that fraudsters use so you can stay alert.
Brute Force Password Attack
When a hacker tries to break into a password-protected account by guessing your password, systematically checking every possibility until they find the right one and, bingo, have access to whatever they need to perpetrate a fraud.
Business Email Compromise
Also known as CEO Fraud. BEC is a sophisticated scam where a fraudster sends an email, either from within an executive’s hijacked account, or from a legitimate-looking but false account, to someone inside their own company in an effort to illicit unwanted actions or leak information. Often urgent, such emails may request an immediate payment – usually a wire transfer – to a new vendor. The employee, not wanting to displease their boss, complies, sending the company’s hard-earned profits into the hands of thieves.
Real life example: Employee “Judy” receives an email from the CFO at the Ohio Manufacturing firm she works for, a guy who doesn’t frequent the office, asking for a $315,000 wire transfer to a Chinese firm. In reality, the email was a fake, created to look like the CFO’s real email account, and Judy sent nearly $300K into the hands of cyber criminals.
Creating the appearance of an email having come from an address which it did not. There are varying degrees of complexity and convincingness, some of which involve domain spoofing or typosquatting.
Rather than collecting a small amount of information immediately, the attacker utilizes social engineering over a period of time to elicit increasingly high levels of trust between themselves and the target. In many cases they conduct actual business and participate in normal transactions to establish rapport and confidence before perpetrating the main fraud.
Short for ‘malicious software’, representing programs intended to cause harm to computers. In a fraud scheme malware could be deployed to disrupt key areas of the targeted business and delay responses.
The interception and/or manipulation of communication between two parties, such as the relay of information between a browser and a secure website.
Password Spray Attack
When a fraudster uses a list of commonly used or leaked passwords to attempt to break into accounts for nefarious purposes. Although many accounts limit the number of times you attempt to login before they lock you out (a frustrating experience when you just can’t remember your password), experienced fraudsters often try a single password “lead” against every employee’s account, in the hopes that the weak link will help them gain access to sensitive information.
When fraudsters send an email, appearing to be from a recognizable source, in order to steal something from the person who receives it – account login details, data, money, etc. Cyber criminals have gotten more and more sophisticated, leading to more and more valuable phishing attacks. In the most widespread attacks a victim receives an email that convinces them to click a link in order to view an attachment or read a secure message. The link loads a convincing but phony login or information form page and collects sensitive information or credentials for the criminals.
For more information and examples, check out our our series on Email Phishing.
Software that suspends access to valuable information unless a ransom is paid. Often the software encrypts data, preventing a company from accessing it without the secret decryption key, or threatens to publish it outside the company to cause loss or damage.
The takeover of a target’s mobile phone number, usually achieved by convincing the cell phone provider to switch service to a new SIM card installed in the phone of the criminal. This allows the criminal to intercept secure login codes sent via text message and defeat two factor authentication.
The manipulation of people into divulging sensitive information or performing actions that further the motives of an attacker. Successful executions of this “confidence trick” depend on earning trust through charm and conveying familiarity and industry knowledge. Most successful fraud schemes involve some degree of social engineering.
Our entry The Power of Social Engineering to Decimate Your Security provides even more examples of this factor.
Spear phishing obtains information through deceptive channels of communication that is finely tailored to the target. The attacks are not conducted at random, but they are rather focused and persistent effectively to hit a specific victim or group of victims. For example, employee impersonation from an outside entity targeting the finance department to reveal and/or take sensitive actions
A form of domain spoofing where an attacker registers a domain very similar to that of the legitimate domain, such as googIe.com rather than google.com (what appears at a casual glance to be a lowercase “L” is actually an uppercase “i” in the above example).
A subset of phishing specifically targeting high-ranking individuals, often involving information collection from multiple vectors.
As you can see there’s a huge variance in how sophisticated criminals can get and they’re constantly changing their methodologies. In the end you will certainly want to employ various safeguards to keep yourself, and your clients safe from harm. If you’re ready to start protecting yourself make sure you check out our Fraud Prevention series.