by Paul Lewis
We’ve all heard the stories. We’ve all read the stats. We all know email phishing is a problem. But who cares, really? I consider myself very well-protected and would never fall for a phishing scam. I am not that foolish. I have nothing to worry about.
Unfortunately, phishing affects each of us no matter how vigilant we think we are. “Downstream Phishing” has become a favorite attack vector for cyber hackers and makes phishing a much greater issue. Consider the following real-life example:
A couple purchased a new home and was getting ready for the closing. Their real-estate attorney had been emailing documents for review, statements to be signed, and updates on the closing schedule. The day before the closing, the attorney emailed the couple, asking them to transfer $575,000 to the escrow account. All seemed normal. The couple went online, staged the wire, and clicked “send.” A few minutes later, an agent from the bank called them on the telephone to confirm the wire and requested their verbal passcode. The wire was sent.
The next day, the couple arrived at the attorney’s office for the closing. The attorney greeted them, smiled, and said, “Did you bring the certified check for $575,000 as per my email?” Extreme panic struck as the couple explained the email requested that they wire the money, which they did. They immediately called the bank. The bank informed them that the money was wired as per the couple’s request, including the verbal confirmation by phone. The money was gone.
After an investigation, it was discovered that the real-estate attorney’s email account had been phished, and that he had inadvertently given his login credentials to a hacker. The hacker then remotely logged into the attorney’s email account and shadowed his activity. The day before the closing, the hacker intercepted the email that requested the couple bring a certified check to the closing, and instead sent an email asking them to wire the funds to a fictitious escrow account. The bank refused to get involved, stating that they followed proper protocol and, for added security, received a verbal verification from the couple prior to sending the wire transfer. The couple was out $575,000, all because of a phishing email that they weren’t even the original recipients of: this kind of attack is called “Downstream Phishing,” so-called because it uses the victim of one phishing scam to lure more individuals down the line.
This story can teach us a couple of different lessons in preventative and defensive security. First of all, had the attorney been better educated in how to spot and respond to phishing emails, he might have identified the suspect email. And even if he had clicked the tainted link, he should never have entered his email login credentials. Best practice says that if you are ever prompted to login to an account through a link in an email, don’t. Instead, close and save all of your work and reboot the computer. But the attorney wasn’t the only one who failed to follow anti-phishing best practice: the couple also should have taken a more suspicious posture. If you ever receive a request to wire funds, even if it is expected and comes from a trusted source, it is imperative that you verbally communicate with the requestor to confirm that the request is legitimate. And when staging a wire transfer with a bank, it is equally important to verify the name of the account the funds are being sent to. Had the couple exercised either of these safety options, they likely would not have lost their life savings to a hacker.
Cyber-crime is at an all-time high and continues to evolve in complexity. We all must remain vigilant, verify email requests, and be suspicious of any call to action that involves large sums of money.
About Paul Lewis
Paul Lewis is a cyber detective that has assisted with cyber investigations around the globe. He is a certified expert witness and a frequent presenter at cyber security conferences. Paul can be reached at @PaulLewisUS on Twitter.