Summer phishing trip
by Jon Lober | NOC Technology
When you go on vacation, scammers go to work.
How cybercriminals take advantage of summer travel to steal your money and information.
As a managed service provider, we are confronted with unceasing reminders of the very real threat of cybercrime. As we work with our customers to protect their organizations, we often get front row seats to phishing attempts. One of NOC’s customers recently informed us that they were the target of a typical summertime phishing scam. Here is how it played out.
The CEO was out of the office for their annual June vacation. While she was gone, the CFO and one of the organization’s administrators received an email from her requesting them to change her payroll deposit information to a new account. Thanks to their awareness training, they double-checked the sender’s email address and immediately saw that it had been spoofed—avoiding a painful loss of deposits to the scammer.
This type of scheme is extremely common—and often successful since utilizes several effective social engineering techniques: authority (the email appeared to be from “the boss”), a break in routine (the CEO was on vacation), and inside information (the scammer knew that the CEO was out on vacation).
It is not clear how the scammer became aware of the CEO’s travel schedule, but they were certainly prepared to strike as soon as she left the office. Summer vacation season in the United States disrupts business as usual for most companies, and cybercriminals have learned to take advantage of the opportunity.
As you travel, or prepare to travel this summer, we want you to be prepared. We will start by looking at a few popular frauds that are making the rounds this summer in addition to some red flags for detecting them and methods to protect yourself.
Popular Summer Scams
1. Rental scams
Unfortunately, cybercriminals have figured out that you are worried about inflation’s impact on the cost of your vacation. Travel website Hopper is seeing people return to check prices 50% more than previous years, and McAfee reports that 35% of vacation planners intend to use sites that they have never used before to check for deals. This opens the door for opportunistic scammers to steal your information through false or compromised sites. This includes hotels, air travel, resorts, and especially rental properties.
If you are one of the half-billion people who stayed at an Airbnb last year, you understand the background stress that can nag at you prior to check-in at a rental. Will you be able to find it? Will it be in decent shape? Will you be able to get inside? Fortunately, mainstream sites like Airbnb and Vrbo are pretty reliable.
Would-be scammers use other sites or attempt to pull you away from those legitimate, reliable sites towards other web pages where they can steal your information or your money. Scammers take advantage of your quest for a great deal by leading you away from mainstream sites to book you at a nonexistent property, request a sizeable deposit for a fake stay, or offer to hold your money in an escrow account until you can see the property for yourself (which you never will).
You can avoid these headaches with a few simple safeguards. Stick to reputable rental and booking websites and do not navigate away from them at any point for additional information or to make payment. Only message through the dedicated platform (do not text or email off the main website). If you doubt the veracity of a specific location, you can try to call to talk with a real person and see if they know the area they claim to represent.
2. Business Email Compromise (BEC) vacation schemes
As we mentioned in our introduction, we see BEC attacks with increasing frequency. In fact, the everyday economic impact of BEC far outweighs the costs of ransomware attacks. The attacks are far easier to carry out than more technical methods, and the payoffs can be enormous. Another common example is the case of Patricia Reilley.
Scammers impersonated Reilley’s boss while she was on vacation, requesting that Reilley make a sizeable transfer from one account to another in her absence. Reilley’s compliance resulted in the loss of $138,000 and her job. To add insult to injury, Reilley’s employer also sued her for losses resulting from the scam, though a judge eventually cleared her of liability.
Once a cybercriminal has done their research and engineered a phishing attempt, technology cannot protect against the outcome. Humans are the last line of defense in this type of scam—and the most vulnerable.
Employee awareness training can prevent most such phishing attempts. Our opening story in this article is only one of many we see annually. BEC threats are a constant part of the business landscape now. If you have not yet confronted such an attempt, you will.
However, with ongoing awareness training, employees can increase their defense against BEC attacks and help you to avoid financial disaster. Phishing simulations can heighten sensitivity to this type of cybercrime. In such a scenario, a cybersecurity professional sends “benevolent phishing” emails to your staff to determine how many of your employees are likely to fall for BEC.
Once you have your initial results, a cybersecurity professional or MSP (Managed Services Provider) can work with you to reduce the click rate through targeted training and regular simulations to keep employees sharp.
3. Human Resources PTO-request scams
This one is a bit newer in the cybercrime landscape, but it is already leaving a mark on afflicted businesses.
Many companies try to prevent employee vacations from overlapping so that they do not end up short-staffed at a critical moment. Phishers are now taking advantage of this fact through a cruel scheme that preys on an employee’s inherent trust of HR communications and desire for a timely vacation.
In this fraud, a cybercriminal sends an email to employees that appears to be from the company’s HR department, requesting that the employee enter their request for vacation time. When the employee follows the link and tries to sign in on the compromised page, the scammer steals the login information.
Avoid falling prey to this scheme by following email security best practices. Examine the sender’s actual e-mail address. Hover over the file path of any links to make sure they match what is communicated and seem legitimate. Consider whether the tone and language of the email matches normal HR communications in your business.
