How Phishing Scams Can Steal Your Paycheck
It’s a big deal—not to mention highly-irritating—when computers become infected and lose valuable and sometimes irreplaceable files. A compromised server can leak vital personal information onto the internet and expose victims to future identity theft. Yes, an infected computer can be reformatted and user data restored through a backup. And yes, corporations also invest big money into cloud-backup services to cover their assets, but the truth is there’s no way to recover money lost from a well-aimed spear phishing attack on a payroll bank account, as no financial institution will reimburse the losses. It’s good old-fashioned theft, plain and simple.
Instead of targeting corporations who are mostly well-invested in some type of cybersecurity defense, scammers are now focusing on launching cyber attacks against the company’s individual employees. Lexology, an information services law firm, revealed in a recent report that employees need to remain alert and chronically skeptical of all the messages they receive. Spear phishing is a form of target-specific phishing, whereas an ordinary phishing expedition does not focus the message on one clear person.
Any content listed after the “FROM:” field of the email message is easy to spoof and not a good indicator of the sender’s identity or legitimacy. As per Lexology, this type of spear phishing technique is growing and appears to be specifically targeting employees of corporations. The scenario can play out in a variety of ways. Say an employee receives an email from a company account mimicking a familiar and trusted company service or resource, such as a survey request or a need for an e-signature. The email then prompts the employees to click a link, access a website, and answer a few questions. Seems simple enough, right? Wrong. Because when individuals follow these prompts, they are instructed to “confirm” their identity once again by inputting their complete log-in credentials. And that’s the beginning of the end.
The most common people to fall for this scam are the non-techies, as scammers are wildly clever at recreating the same look as a real bank website, where someone can securely log in to their account. From the perspective of an average internet user, there is no visible difference between the authentic site and the fake one, designed only to steal inputted information. Once the fraudulent “transaction” is complete, the employee will likely never see another paycheck deposited into their account.
Technically savvy employees, on the other hand, may detect some red flags on the fake site, like misspellings and grammatically incorrect sentences. These are warning signs that should not be ignored! Although the message is attempting to establish an atmosphere of trust, it is really just an active attack. And if these workers take the time to investigate their accounts on the backside, they often find some kind of fund transfer process has already occurred, with the sole purpose of diverting the bank account contents to the hacker’s pocket.
Companies need to educate their employees about these clever phishing scams and remind them to never share their private credentials with anybody else, even through seemingly innocent online communications. Emails discussing personal topics such as payroll deposits need to be discouraged within the organization, and employees should be instructed to communicate with the HR Department directly when handling important financial matters.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.