Phishing – Supply chain attacks

Too smart to fall for phishing scams? Maybe so-but is everyone in your company?

Throughout history, the human propensity to trust what they shouldn’t has always been the weak link of the security chain. Probably the best example of this is the story of the Trojan Horse-not the virus, but the original one.

When thinking about cybersecurity, it’s only natural that people’s minds go first to EDR tools, firewalls, anti-virus software and the like. But when it comes down to people versus technology, people are the vulnerability. We can secure the technology piece to a very high degree-nothing is perfect of course. But once we do that, the biggest threat vector in any business is the staff, with no malicious intent at all.

Troy’s technology was state of the art 3,000 years ago. The Greek army had laid siege for 10 years without breaching their firewalls, so to speak. In the end, all it took was a bit of trickery-making a wooden horse look like it was a gift left behind after the Greek army had finally given up and gone home. When the Trojans rolled the horse into their gate, all seemed fine. Then Troy went to sleep-relieved after their apparent victory. When they did, Greek soldiers climbed out of the horse and slaughtered them.

Sound familiar? Today we call this a phishing attempt, and the wooden horses are email attachments that look legitimate or links that offer free software that seems useful.

I’m sure many of you reading this have received suspicious emails last week-spam filters divert most of these to a junk folder somewhere, but some get through. The bad guys know you are security conscious, so you probably have one of the popular antivirus subscriptions protecting your home network, for example. And because they know this, they send phishing emails that look like they are confirmations of a payment you supposedly made. You know you didn’t make that payment, but in a moment of foggy thinking, you open the email and click on what looks like a PDF, and then . . .

If you live in the USA and you have an email address, you’ve probably used Amazon, eBay or Walmart for online shopping and maybe used PayPal. So, when a phishing email slips through the net, it looks like a company you trust sent it. Some of them are pretty convincing too. If you happen to be on a laptop or desktop, it’s a pretty simple task to hover over the sender’s name, and when you see it’s not really from PayPal, you blow it away. You can do it on a phone too, but it takes a bit more effort.

But let me tell you about a new kind of scam these people are running: supply chain attacks. Think about the person who handles accounts payable for your company. An invoice email comes in from a vendor your company works with regularly. The invoice might even be a bit past due. And accounts payable gets a “can you please pay this now” reminder invoice, in the correct amount. On the company’s letterhead. Using the company’s email.

Here’s how it works: A malicious actor hacks into a company-probably a fairly large one-or at least one that is going to generate a lot of monthly billings. Then they look for the coming due bills. The hackers / cyber criminals can see who usually receives your invoices, so they send a phishing message using the name and email account your employee is familiar with. The email message might even get through filtering because after all it’s a legitimate address.

The only thing that’s a little different on this invoice? This time we’d like you to wire the money to a new bank account because we’ve changed bankers or because our internal processes have changed.

It’s at this point you better hope your people have been trained on what to look for and how to handle an issue like this.

If your people send the money, that bank account will be closed minutes later. You probably wouldn’t hear about it until your vendor sends a legitimate reminder invoice, and someone gets on the phone to find out what’s really going on.

It didn’t matter that Troy had state of the art defenses, all it took was one person-maybe tired, distracted, or who is out of the loop because they were working from home-to open the gate.

If you’d like to know more about our approach to preparing your people to keep you safe, let’s have a no-obligation chat. What I’ve mentioned here is just the tip of the iceberg. We can go deeper on a call.

Share the Post:

Related Posts

HELP US, HELP YOU

Ready to find out what true professional IT looks like? Reach out today and get started with a free consultation so we can begin to create an IT partnership that will push your business forward.