Most phishing appears to be aimed at stealing email credentials to use for spamming, but occasionally the phishers have a more sophisticated strategy, namely using a stolen account for malicious financial purposes.
Some phishers are looking to hijack accounts they can use to extract payments from University departments - using the account to send requests, sometimes quite insistent, to request fund transfers.
A typical scenario:
- Victim receives a "shared google document" and "logs in", giving up their ID and password.
- Phisher researches the victim's email account (by reading their email) to learn more.
- Phisher notes the victim has a position likely to involve finances.
- Phisher adds filters to hide messages in folders without landing in victim's inbox.
- Once the phisher is ready, they use the account to send invoices or other messages to relevant contacts in the victim's mail, requesting money be directed to a bank account they control. Filters divert responses into a folder (or to another email account) so the victim does not see the exchange.
Best practices:
- Be sure your department has established procedures for all financial transactions, and stick to them.
- Treat unusual, hurried and insistent requests with suspicion. "Is this the way Professor Smith normally acts?"
- Use other means of communication than email to confirm unusual requests. Make a phone call, or ask in a face-to-face conversation.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.