Tis the season to be crafty! Just as Amicus ITS was reaping the results of its own competition for staff to design a winning Christmas e-card for 2018 incentivised with online gift card vouchers for prizes, came the news report issued last Monday by security firm Barracuda Networks that Santa’s gone a bit phishy in a Gremlins kind of way in the run up to Christmas.
The increasing sophistication of social engineering has created a new cyber security workplace scam targeting receptionists, office managers and executive assistants. The report states: “These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals”.
Here, hackers will pretend to be the CEO or senior managers, using tactics like implied urgency and directed emails asking specifically say, for Google Play gift cards. Phishing emails can also include a ‘signature’ implying it was sent from a mobile device. Alternatively, the scam can be built around a secret ‘reward’ for employees. There are no malicious payload links, or suspicious file attachments and they are often sent from trusted email domains.
Spokesman for Barracuda Networks, Asaf Cidon commented: “When sending social engineering-based attacks, attackers have always used context and timing to their advantage – and the Christmas season has opened the door wide to a lot of cleverly designed executive impersonation”.
What can you do about it?
Organisations should have the relevant anti-malware, spyware and adware in place. Other security tools can include more advanced spybot software and AI-based security solutions to detect anomalies in email addresses that the CEO would not use, or behaviours which would recognised be uncharacteristic. But alongside all of these technical competencies, it comes back to having an educated and informed workforce across the board, vigilant and trained to spot attack efforts and know the right remedial steps to take:
• Use HR to work with IT to help with employee messaging to avoid falling for these scams and to understand what technology is needed to ward off the attacks.
• Awareness spread through the employee network should reduce the time between attack and detection and prevent more extensive damage.
• If a gift card email scam hits your organisation, why not set a procedure in place for employees to be required to gain direct management approval to verify any financial requests.
Have you experienced this type of attack? How did you react. Anyone seeking advice on security measures around their IT systems can contact Sales on 02380 429429.