Tax season is upon us with the usual missives from Her Majesty’s Revenue and Customs (HMRC). Most organizations are aware that the tax office won’t contact them via email, but the recent move towards the digitization of the tax process has muddied the waters.
People are confused. Perhaps some processes are already online? Did they use their work email address or their personal email address to file a return? Quick to take advantage of this, scammers have been issuing phishing emails that mimic HMRC’s brand, using the same fonts and logos, the same language, and some pretty compelling assurances.
A typical example seen over the last few weeks is the ‘Tax Refund Notification’. This offers the incentive of a small refund, usually a few hundred pounds. The recipient feels reassured as they are told they need a Government Gateway account and that the refund will be processed electronically back on to their card.
Of course, once they click the ‘Start Claim’ link they are directed to a bogus version of the HMRC website where they are then asked to provide their name, address, credit card details, and even verify their identity with National Insurance, driving license and their mother’s maiden name. Committed up until this point, and persuaded by the authenticity of the site, many will handover this treasure trove of personal information.
Fallible to phishing
So are we now more fallible to phishing? Phishing emails certainly used to be easy to spot. The poor grammar, spelling mistakes and cut-and-paste logos, the odd URL and the sender usually gave them away. Their continued success is down to obfuscation (shortened URLs such as bit.ly make it more difficult to determine the address of the site being linked to) as well as user error.
Increasingly, emails are given legitimacy by other users within the organization. Last year the helpdesk on the Hilary Clinton campaign received a basic phishing email purporting to be from Google telling campaign chairman, John Podesta, saying he needed to change his password. The helpdesk forwarded the email and flagged it as legitimate and urgent, together with the shortened link, and the rest, as they say, is history.
These attacks still continue to exploit us psychologically (greed has largely been supplanted by anxiety) but now they are also more targeted.
Phishers have at their disposal a plethora of online information which for the most part we’ve voluntarily given them. This can allow the attacker to target certain demographics. For instance, university students have been offered ‘educational grants’ at the beginning of term time.
Professional sites such as LinkedIn are allowing phishers to identify and then impersonate senior management leading to Business Email Compromise (BEC). This type of phish can be crafted to appear as though it originates from within the company, lending weight to the instruction they give. Such scams may involve invoice or mandate fraud, whereby the recipient is instructed to send a payment or change payment terms on an existing account and few would question this if it comes from senior personnel.
Fast phishing
Phishing attacks are also becoming more responsive. They’re able to react and ride the publicity wave or engage more swiftly with victims. Key calendar events (Black Friday, Christmas, tax season, etc) or a recent data breach at a major retailer (which can be used to urge customers to change their password) or even fake news (Brad Pitt’s ‘death’ in September last year) are all now being used to launch attacks.
Email is also being supplanted by near real-time channels such as social media. In Q4 2016, social media phishing spiked, increasing 500%. Fake profiles were being created that allowed phishers to masquerade as a customer support representatives for well-known firms and respond to posts left by users on Facebook, Twitter and other platforms before sending them a clickable link, in an approach dubbed angler phishing.
This poses a real threat to the established business which now needs to be able to spot and counter these attacks which essentially hijack and compromise the brand.
Going forward, phishing will continue to evolve and will become even more difficult to detect, and this will drive the need for automated phishing detection. Monitoring inbound email can be useful for helping to detect BEC attacks but it falls down when it comes to alternative channels.
Threat intelligence solutions combined with a managed security offering can effectively deal with the real-time nature of phishing attacks carried out using the company name.
Educating users is still worthwhile, to prevent the type of internal compromise that brought Clinton’s campaign crashing down, but as these attacks continue to become more targeted, more exploitative, and more lucrative (such as when combined with ransomware) so organizations will need to face the fact that there’s no longer any tell tale signs. In the future, relying on human intuition to tell if something is phishy simply won’t be enough.