Category Archives: Phishing News

Something 'phishy': Why Irish organisations are a plum target for hackers

Human link still weakest cyber defence as more organisations fall victim to socially-engineered cyber fraud and phishing attacks.

It has emerged that UCC had €110,000 stolen from it by hackers in 2015.

The revelation follows on the heels of a major cyber attack on Trinity College Dublin in April in which up to €1m was reportedly scammed by thieves.

The Sunday Independent reported that UCC is currently under sustained attack by fraudsters with at least three attempted frauds per week.

It reported that in 2015 online criminals successfully penetrated its security network, laundering €110,000 to an offshore account after gaining access to the accounts payable department.

The revelations show just how vulnerable Irish institutions are to scams by sophisticated fraudsters.

After WannaCry devastated systems around the world, it is understood that a number of Irish businesses fell victim to the Petya attack last month.

Ransomware attacks are on the rise and usually block organisations from their systems in return for a ransom. In the case of WannaCry and Petya, the hackers appeared to be more interested in simply destroying systems.

But other more elaborate schemes simply find ways to manipulate users into making mistakes.

The weakest link? You

What is worrying is how managers in organisations are susceptible to social engineered attacks, for example.

In the case of Trinity College and the theft of up to €1m from the Trinity Foundation, the money was allegedly siphoned off by thieves who sent emails asking college officials to change bank account details for payees.

The Foundation was alerted by its bank to suspicious activity in its accounts and some of the funds were recovered.

It is isn’t just academic institutions that are prey to these sophisticated attacks.

In recent weeks Meath County Council confirmed that some €4.3m in funds that were the subject of cyber theft in October last year were safely returned to the Council’s bank account.

The money was frozen in a bank account in Hong Kong after Gardaí interrupted attempts to steal the money.

The council was the victim of what is known as “CEO fraud” in which large sums of money are transferred by criminals in foot of a bus instruction in the name of a company chief executive.

In the case of UCC, crime gangs successfully penetrated its network and laundered €110,000 to an offshore account.

It is understood that some €73,000 of the money was recovered by the university through its insurance policy.

The attack prompted the university to invest more than €100,000 on stronger firewall technology and software to identify fraudulent emails and malware.

The college still faces at least two to three attempted frauds per week.

The truth is any organisation big or small can fall victim to sophisticated social engineering attacks that often begin with a phishing attack whereby a user click on a link within an email or volunteers information.

No matter how much an organisation invests in its security, the weakest link will always be human.

The key is to educate and train staff in how to recognise suspicious emails and other communications and not fall victim.

The reason Irish organisations are a plum target for socially engineered cyber attacks is because they aren’t putting enough effort into training staff to be wary.

More needs to be done.

The price isn’t just financial, it is reputational.

If You Get An Email From This Company In Your Inbox, DELETE It!

Cybercriminals can be very sneaky when coming up with their attacks. They go to great lengths in finding ways to rip us off.

A popular tool for criminals these days is the phishing email. A successful phishing scam can lead to your gadget being infected with malware, or ransomware, or your credentials to multiple accounts being stolen. Now, customers of a popular transaction service provider are being targeted with these malicious emails.

What you need to know about the latest phishing scam

We’re talking about the company DocuSign. It provides electronic signature technology and Digital Transaction Management services for facilitating electronic exchanges of contracts and signed documents.

The company has discovered a new phishing campaign that began last week, targeting its customers, and others, with malicious emails. It’s possible that DocuSign’s database of customer emails has been breached as well. Even if you don’t use the service, you could receive one of these malicious emails in your inbox.

What’s happening is, the cybercriminals behind this phishing attack are creating fake emails with the DocuSign logo. Be careful, the fraudulent emails look very official and they contain malicious links that lead to a macro-enabled Word document. If you click on the link, your gadget could be infected with malware.

DocuSign is detailing what to look for and urges everyone who receives this malicious email to follow these steps:

  • Delete any emails with the subject line, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.” These emails are not from DocuSign. They were sent by a malicious third-party and contain a link to malware spam.
  • Forward any suspicious emails related to DocuSign to spam@docusign.com, and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://docusign.net.
  • Ensure your anti-virus software is enabled and up to date.

As I said earlier, you don’t have to be a DocuSign customer to receive phishing emails. Always be prepared by taking the following precautions.

How to defend against phishing attacks:

  • Be cautious with links – If you get an email or notification that you find suspicious, don’t click on its links. It could be a phishing attack. It’s always better to type a website’s address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.
  • Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
  • Use unique passwords – Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it’s simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
  • Set up two-factor authentication Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It’s like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
  • Check your online accounts The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
  • Have strong security software – Having strong protection on your family’s gadgets is very important. The best defense against digital threats is strong security software.

More stories you can’t miss:

How to protect yourself from ransomware

How to turn your phone into a personal Wi-Fi hotspot

Retail giant hit by year-long credit card data breach

Apple’s latest service is FREE! Here's how to sign up

Previous Happening Now

Apple’s latest service is FREE! Here’s how to sign up

Your bank's about to make paying your bills a whole lot easier

Random Happening Now

Your bank’s about to make paying your bills a whole lot easier

Helping To Protect Your Company From A Cyber-Attack: Eight Tips For Human Resources …

Recent, highly publicized data security incidents highlight the continued vulnerability of corporate information systems. Notably, employees who fall prey to sophisticated phishing e-mails and other scams often contribute to the success of cyberattacks and other assaults on an employer’s information systems. Consequently, technical fixes, alone, will only partially reduce the risk of a data breach. For that reason, human resources professionals and in-house employment counsel can play a critical role in reducing the risk that their organization will be the next victim.

Below we list eight tips the “people side” of an organization should consider taking to supplement and enhance the organization’s technical safeguards for sensitive information:

  1. Conduct Background Checks: Job applicants, temps, and contractors who will have access to sensitive information or administrative privileges for information systems should be subject to a thorough background check before they start working, and periodically thereafter, focused on evaluating trustworthiness.
  2. Confidentiality Agreements: Consider requiring all employees with access to sensitive information to sign a confidentiality agreement that not only requires non-disclosure of confidential information, but also describes steps employees must take to safeguard the employer’s confidential information.
  3. Security Training: Train all employees, regardless of access rights, on information security as part of the onboarding process and provide periodic security awareness reminders. Provide additional training to all employees authorized to access sensitive information.
  4. Security Incident Awareness: All training should include information on what events constitute a security incident and how to report a security incident internally.
  5. Recognize Phishing Emails: Training should also include information on how to recognize and report phishing emails. Employees commonly are responsible for activating malicious software, such as ransomware, by clicking on a link or opening attachments. They routinely are duped into disclosing to scammers their network log-in credentials in response to what appear to be a trusted requestor, such as the organization’s IT Department or a business partner. And, hundreds of payroll personnel have disclosed all of their organization’s W-2 forms in response to bogus requests from a senior executive. Given the prevalence and serious consequences of these scams, companies should consider sending fake phishing emails to employees and providing additional training to employees who fall for the test scam.
  6. Need-To-Know And Minimum Necessary: Ensure that employees have access to sensitive data only on a need-to-know basis and limit authorized access to the minimum necessary to perform job responsibilities. Access rights should be modified when job responsibilities change and terminated promptly after the employment relationship ends.
  7. Require Strong Passwords: Require that employees use strong passwords, i.e., at least eight characters with a mix of letters, numbers, symbols, and cases, and prohibit employees from sharing their passwords with anyone, including the IT Department.
  8. Prepare For A Security Incident. Even companies with robust information security programs will experience a security incident. Many incidents naturally will be reported to HR professionals or in-house employment counsel, such as the disclosure of W-2 forms in response to a phishing e-mail or the mis-direction of an e-mail with an attachment containing social security numbers or health benefits information. HR professionals and in-house employment counsel should put in place a plan for responding to these “non-IT” security incidents.