Phishing on our data gold is on the rise

In 2018, the Melani Reporting and Analysis Centre received repeated reports of phishing attacks. In fact, this method of attack (see box on the right) is circulating throughout Switzerland. Phishing platforms such as shared PDFs, links, logos and the like imitate sender addresses and thus obtain personal data.

For example, the websites of Microsoft Office 365 or OneDrive are also often copied. The quality and nature of the emails vary greatly. In certain emails, the recipient is asked to identify themselves, perhaps to solve a problem with their bank account, or to view a document shared with them.

In all cases, the recipient is redirected to a phishing page that imitates the provider's site, where the username and password are supposed to arrive.

"They're imitating the provider's site."

Tailor-made fraud attempt
Once the criminals have access to the account, they can basically make the same settings as the account holder:
- Set up email forwarding so they have access to all of the injured person's correspondence.

The forwarding often takes place by means of a copy, so that this is not recognizable for the account holder.
- If the platform's email account is used as a reset email address for additional services, an attacker could have corresponding passwords reset and gain access to additional services.
- Attackers can gain access to additional documents as far as the user's rights allow. However, they can also target other users on behalf of their victim for the release of documents.

Since they also assume that this was ordered by a colleague, they often comply with this "wish".

For cyber criminals, such data, especially credentials, are worth their weight in gold. The data allows them to read in relevant information such as business relationships, cases to be processed, structure and organizational charts of the company for a tailored fraud attempt.

Likewise, it cannot be ruled out that such information is used for industrial espionage or sold on.

Reporting and analysis centre alerted
Once an account is compromised, all of the compromised person's contacts can be affected. They often risk having an email sent to them with malware that appears to come from the account of a colleague or business partner. With this method, the attackers can gain further access to the company network.

The Federal Melani Agency makes the following recommendations:

Technical measures:
Use two-factor authentication wherever it is available.

• It is recommended to choose a service that provides sufficient logging functionality and makes the logs available to customers in a suitable form.
• Companies are advised to look for anomalous actions on employee accounts: Accessing from unusual locations or at unusual times, adding email forwards, etc.
• Mails should always be digitally signed (at least internally) and users should be trained to handle mails without an appropriate signature with special care.
• When sending legitimate e-mails with a high misuse potential for phishing, such as the electronic sending of invoices, care should be taken to ensure that the links are not hidden behind HTML text and that the mails and/or documents are digitally signed.
• SPF, DKIM and DMARC protocols should be set up so that one's own domain can be misused less easily for phishing attempts. This is also possible with some of the large collaboration providers, such as Office365.

Organizational measures:
The best way to combat phishing is to make employees aware of this phenomenon: It is essential that employees are trained in recognizing and dealing with suspicious and fraudulent emails.

Sensitized employees know that they should not click on any links or open any attachments in the event of suspicious or fraudulent e-mails, but should inform their superiors or IT managers immediately.

"Caution is advised with abnormalities ."

The processes and risk-minimising measures defined by the company must also be complied with at all times. In particular, all processes relating to payment transactions should be clearly regulated within the company and complied with by employees in all cases (e.g. dual control principle, collective signature by two persons, processes in accordance with the internal control system).

More about current phishing waves, attempts and countermeasures can be found on the website www.antiphishing.ch.