Why Phish Fingers? It’s a tenuous link, but I’m thinking about phishing attacks and the breadcrumbs we need to follow to work out how the attack happened and what the attackers managed to access.

It kind of works and I needed a title. I’m sticking with it.

inside of six working days, we’ve had four clients report phishing attacks on their businesses.

From time to time, we do have people sending us messages asking us “is this email safe?” – so we know these emails are coming all the time. There’s nothing new or unique about that.

What’s different this time is that two of the attacks were successful and one at least managed to gain a click.

Each attack was slightly different, it’s not like there’s a security hole as such, so the timing is either coincidental or there’s a general ramping up of attacks across the board. Time will tell.

What is clear though, is that rather than looking to IT and Security to find cost saving measures, instead, businesses need to be thinking about how they can invest more in security and protect their businesses and investment, before they end up in a whole world of financial pain.

Let’s get into the details and talk about what happened in two of the successful attacks recently.

when you become the phish

Our client, let’s call him “Dave” for maximum obscurity. He contacted us to say he thought he may have been hacked.

He’d been sent an RFQ document link by one of his clients, something that didn’t seem all that unusual or unexpected on the surface.

After clicking to view the document he was presented with a Microsoft 365 login page to gain access to the document, at which point Dave duly logged in.

Soon after, he was contacted by several of his own contacts asking if the email he had sent to them was legitimate.

Dave had not sent any such emails and so he contacted us for support.

We were also on Dave’s contact list, so minutes before, we too had been sent a copy of this message and were able to analyse it.

Within less than an hour of the hackers gaining access to Dave’s account, we’d locked it down, kicked them out and discovered that 600 emails had been sent to Dave’s contacts.

Dave kept telling us how stupid he felt, but it’s not something to be ashamed of, these messages are carefully designed to catch us out.

It’s not a matter of if, but when.

fancy losing £20k? nah, didn’t think so.

There aren’t many small businesses who can afford to lose this kind of money. For many it would be catastrophic.

In the second of the attacks in one week, a different tactic was used.

This time we’re going to pick on “Harriet” – because we don’t have any Harriet’s in our client list.

Harriet received an email from DocuSign. It came from a real DocuSign account, in the name of a trusted contact. This made it even harder to spot.

Even though Harriet wasn’t expecting anything from this person, it wasn’t totally out of character, so it wasn’t enough to be suspicious about it.

After opening the link, a PDF opened up which contained a link, this was the most dodgy part of the process as it’s not what you’d usually expect to happen. This is a great tactic to avoid email spam filters, because at this point, Harriet had already clicked a safe link in her email, but then visited the malicious one directly in the web browser.

Yet again, a fake Microsoft 365 login page was presented and Harriet logged in to access the document.

The alert came when Harriet was contacted by one of her clients to check if she really was asking for her bank details to be changed.

Harriet’s blood ran cold.

Right away, she contacted us to look into it, we found that an attacker from Poland had connected to her account, had looked through her emails and found a recently sent invoice for almost £20,000 and had then gone on to email Harriet’s client asking them to change the bank details and make payment as soon as possible.

They’d put email rules in place to send any messages from Harriet’s client into the deleted items folder, where they were then picking them up and responding as Harriet to any queries.

what happened next?

Fortunately, in both cases, our clients had people in their networks who were savvy enough to not just check by email that things were OK, but who actually picked up the phone to check “in-person”.

This was the important factor, because in both cases the attackers were in the mailboxes replying as their victims and reassuring the recipients that all was well.

Because our clients were all set up with proper business email systems, we had the tools needed to check who had logged on, from where and when.

We could check email sending logs to see who had been contacted and what messages had come in and out of the mailboxes.

We could also interrogate audit logs to see what other data might have been accessed or to rule out the possibility that a further breach of data had taken place.

But could more have been done?

Additional Solutions

It’s always going to be difficult to stop these kinds of attacks from taking place, especially when they come from trusted contacts who have, in turn been hacked.

Piggybacking on the trust of others is an easy way of lowering our defences.

Regardless, there are things that can be done.

  • User Awareness Training – the more we learn about security and the threats against us, the more we are thinking about attacks and what “suspicious” looks like, the more likely we are to spot when things are fishy and then check and double check. For the superhero fans amongst us, it’s a case of building up our Spidey Senses.
  • User Spam and Phishing Protection – most business email systems have a level of protection built in, but as with most things, if you’re on the basic packages, you won’t get the best features. Look at what packages are available to upgrade to which will boost your protection.
  • Carry out regular Phishing Testing – this is where fake phishing messages are sent to test your reactions and get to raise your sensitivity to a potential attack. IT providers just like us can provide these tools and set up the tests for you.
  • Use a Password Manager application, these can detect when you’re on a legitimate website such as Microsoft 365 and present you with the right passwords to auto-fill into the login forms. When you’re on a fake site, the password manager won’t serve up the passwords, this is a strong clue that something isn’t right.
  • Make sure you have multi-factor authentication turned on – that’s the code that changes in an app, or a text message that comes through to provide an additional code to enter after your password. Better still, look at physical security keys like YubiKey. With these the attacker would need your key or your phone to gain access, even if they have your password. Though it’s not bullet-proof and there are ways around them, it will seriously increase your security.
  • Look at Geoblocking. If your team only ever work from the UK, you can lower your risk dramatically by blocking access to your systems from other countries. Most of the attacks we’ve seen are originating outside of the UK, so this would be a big help.

guardian package

Our Guardian Package helps with most of the above measures, contact us to find out how you can add Guardian to your business. Arm your team with the knowledge and tools to protect themselves.