Following the liquidation of Thomas Cook in September, fraudsters were quick to take advantage through social engineering scams, with legitimate banks adding uncertainty to the issue soon after. Phil Muncaster finds out more.
Phishing attacks against employees are well-documented. They can lead to account takeover and, in turn, data breaches, ransomware infection, Business Email Compromise (BEC) and other threats to the corporate bottom line and reputation. However, what about attacks that cut out the middle man and go directly for an organization’s customers?
A phishing campaign that hit Thomas Cook customers is an example of the kind of opportunist attacks that online scammers are increasingly capable of. It also highlights what can go wrong when third parties like banks wade in to try and help.
A Sad Day
Founded in 1841, Thomas Cook was the world’s oldest travel agent before its sudden demise in late September this year. The firm is said to have been in debt to the tune of billions of pounds before its collapse, with the UK government ultimately forced to spend hundreds of millions on refunds and the repatriation of 150,000 travelers. Rebecca Thornley-Gibson, a partner at city law firm DMH Stallard, branded it “a very sad day for Thomas Cook, the travel industry and all those ancillary supply services that will now face uncertainty due to their future loss of revenue.”
However, the collapse of the firm was just the start of the story for the cyber-criminals, who are ever poised to take advantage of major news events. Soon, reports started to emerge of phishing emails and ‘vishing’ calls, designed to trick customers into divulging their bank details. Multiple customers went onto Twitter to share their experiences, many of whom explained that the scammer had pretended to be a ‘refund agent’ who needed their bank details in order to issue compensation or reimbursement.
“Such communications could be received whether you are a Thomas Cook customer or not, with the fraudsters relying on hitting some genuine customers amongst the thousands of people they target randomly. Shareholders may also be targeted by such scams,” warned Get Safe Online.
“Only Thomas Cook customers who are currently abroad – or who have booked future holidays or travel – will receive genuine communications from either the CAA (Civil Aviation Authority) or one of the two firms appointed as special managers in respect of various group companies: AlixPartners UK LLP or KPMG LLP.”
"The collapse of the firm was just the start of the story for the cyber-criminals"
Banks Bluster In
The sight of phishers capitalizing on major news events like this is nothing new. In the past, scammers have tried to elicit funds and personal/financial information using lures as wide-ranging as the New Zealand earthquake, FIFA World Cups and Olympic Games tournaments, and major data breaches like those affecting Ashley Madison and Equifax.
However, one noteworthy development in the Thomas Cook case is the impact that UK banks have had on the situation. Following the incident, a flurry of text messages appeared to have been sent out to customers whom they believed had been affected. There was just one problem: many of the recipients had not booked a Thomas Cook holiday. Quite understandably, they believed the SMS they received, containing a clickable link and a phone number to call, was highly suspicious.
Most experts tell Infosecurity that the banks were right to engage with their customers on this occasion, but argue that the lenders should also have been clearer up-front about what legitimate communications look like.
“I think it is difficult to ask banks not to interfere in cases like this. Yes, there is a subset of customers who have been confused by the text messages they have received from their banks and from scammers alike. However, many banks will feel a duty to keep their customers informed of events in order to minimize their distress,” explains Gemma Moore, director at information security consultancy, Cyberis.
“What is important is that customers have a quick and clear route whereby they can validate the legitimacy of any communications they have received.”
What Brands Can Do
The bad news for organizations is that phishing attacks targeting consumers can do tremendous damage on several fronts, but are extremely difficult for individual brands to mitigate.
“There are obviously immediate financial impacts to customers, but there are also negative financial and brand implications for the affected organization, as well as an erosion of trust in the solution or technology,” says Peter Penn, senior manager at security services firm Coalfire Labs-International.
“While it hasn’t become precedent, a lack of clarity in communications could be seen as negligence on the part of a company as these schemes become more prevalent. Once these fraudulent schemes become an expected result of an ‘unfortunate’ event, it could become a matter of due diligence to prepare their customers for these scams.”
So what should this due diligence look like? “Organizations should make it policy, and then ensure their clients are made aware that they will never directly solicit personal information or provide links/phone numbers to their clients in emails or text messages. If issues arise, the organization should alert its customers, but then explicitly ask them to contact them directly through their website or published contact details,” Penn tells Infosecurity.
“Having a proactive approach to notify customers as soon as possible to identify what the communications will look like is important to ensuring the majority of clients have clear expectations and can identify fraudulent schemes before they arrive in their inbox.”
Mark Chaplin, principal at the Information Security Forum (ISF), suggests that organizations also have an educational role to play in ensuring their customers are aware of the risks of phishing and know how to spot an attack.
“Organizations need to encourage customers to be vigilant but also must go further and explain how, by providing practical and meaningful advice. For example, treating inbound contact from unknown organizations or individuals as suspicious, taking steps to confirm authenticity and initiating the contact with the right organization,” he says.
“Our recent research into human-centered security highlights the many factors that can influence how people react under difficult circumstances. Emotion, tiredness, the effect of news reports and influence of social media are just some of the reasons why people will make poor decisions.”
"The effect of news reports and influence of social media are just some of the reasons why people will make poor decisions"
When Phishing Goes Social
Yet this advice will need to be continually revisited and updated, as phishers keep evolving their techniques for maximum effect.
“Data shows that email continues to be the weapon of choice for cyber-criminals. There are open standards available, such as DMARC, for organizations to protect their domain and effectively nullify an entire class of email fraud – domain spoofing,” Proofpoint cybersecurity strategist, Adenike Cosgrove, tells Infosecurity.
“However, as consumers move to other channels such as social media, so do cyber-criminals. What we have seen so far in the case of the Thomas Cook social scams is commonly known as angler phishing, where fraudsters impersonate customer service accounts of known brands to scam consumers looking for help.”
According to data from Proofpoint revealed last year, over half (55%) of these attacks impersonated financial services firms, but this is by no means the only vertical to suffer.
In the meantime, organizations will come under increasing pressure to provide customers with educational resources and clear guidelines on what type of communications to expect. Those seen to be leading the way in this regard could even use the quality of their anti-phishing support as a competitive differentiator.