26.09.2023 - A key element for every company is customer relations. The customer is king, so they say. As a result, companies are keen to fulfil their customers' every wish. This approach is regularly exploited by hackers. A particularly sophisticated case was reported to the NCSC last week. Every company should therefore consider what company data it publishes on its website, as this can be used for fraud, but also for phishing.
Wedding planners targeted for phishing
In the case reported to the NCSC last week, it all started with a conventional enquiry to a wedding planner. The engaged couple, who lived abroad, wanted to spend the happiest day of their lives in one of the prettiest locations in Switzerland. The apparent bride and groom praised the wedding planner's service offering, partly to start the business relationship off on a positive footing but also to give the impression that they had taken some time to study the website and had not just visited it by chance. The wedding was due to take place at the end of 2024. The date was so far in the future that there was, firstly, a high probability that the couple had not committed themselves elsewhere, and secondly, it was a realistic deadline. The fake bride and groom also mentioned the large number of guests wanting to share their big day with them. With this amount of detail, the enquiry was tempting, and the potential victim accepted the apparent assignment.
After the initial positive response from the event planner, the happy couple wanted to discuss further steps via Zoom, in order to build trust even further. However, in the email on that subject, they mentioned that all additional information on budget and plans was in the attached document. Yet there was no attachment, just a link to a document on OneDrive.
Such enquiries are designed using all the skills of a social engineer, and are very difficult to identify as fraudulent. However, caution is advised, at the latest when it comes to downloading the document. The link does not lead directly to the document, but instead to a phishing site, where the victim is first required to enter their email account credentials. This login data can be used to access all of the company's email communications with its customers, for example.
The lengths the fraudsters went to show how useful access credentials for company accounts have become. This data can be used for other fraudulent activities, such as sending manipulated invoices with fake IBANs or the targeted dissemination of malware.
When fraudsters help themselves to a company's web content
In another case, there was a targeted attempt to fool company employees into downloading a document. Here too, it was an apparent customer order. However, in this case, the email was not from the customer themselves, but was forwarded to various employees by the Head of Logistics. The email contained not only the Head of Logistics' full name and job title, but also the correct phone number. But the email address sender and thus the entire email were fake. Just as in the other case, the recipient was supposed to enter their email access credentials on a phishing page in order to start the document download.
The NCSC initially assumed that the company account had been hacked, but on closer inspection it became clear that the information must have come from the company website, which contained all the information, including names, job titles, email addresses and even phone numbers.
Many companies have this kind of information on their team websites. So far, this information has mainly been used for CEO fraud, but as the current example demonstrates, it can also be used for targeted phishing attacks.
In both cases, eagle-eyed employees were able to avert serious damage. This shows how important it is for companies to cultivate an awareness of corporate cybersecurity among their employees.
- Never divulge personal data such as login credentials, passwords or credit card details on a website that you accessed by clicking on a link in an email or text message.
- Think about what information your website contains about the company and its employees.
- Conduct regular awareness campaigns about cyberthreats for your employees.
Current statistics
Last week's reports by category:
Last modification 26.09.2023
