Phishing attacks: Definition, examples, and mitigation

Smishing

Another variant of phishing is SMS phishing, also known as “smishing.” This attack is carried out on mobile devices through fraudulent SMS/text messages. It can occur on various text messaging platforms like WhatsApp or Telegram.

Smishing attacks are known for bait messages that appear during busy schedules to catch you off-guard. Smishing was especially rampant during the COVID-19 pandemic, where attackers would impersonate government entities, hospitals or councils to send worrying text messages about vaccines or contact tracing.

Because this tactic seeks to take advantage of busy or stressful time periods, it’s also common for malicious actors to target AP teams during the end of the financial year period.

Vishing

Other than text messages, attackers have the ability to conduct phone call scams, which is called voice phishing or “vishing.”

Like other types of phishing, this tactic uses psychological manipulation to fool victims into revealing sensitive information – often by creating a sense of urgency, a desire to help or gaining trust.

While many employees have been trained to spot suspicious emails, people may be more likely to trust the sound of a human voice. Especially as deep fake technology continues to improve, it’s crucial to ensure staff are aware of vishing threats.

Phishing Email Examples

Australian hedge fund targeted via Zoom

In November 2020, the co-founder of Australian hedge fund Levitas Capital was targeted with a whaling attack. Starting with a malicious Zoom link in the phishing email, fraudsters gained access to the hedge fund’s email system.

This allowed the attackers to impersonate the co-founder by sending fake email instructions to process illegitimate payments. As a result, the attackers stole over $1.5 million in funds using fraudulent invoices. Unfortunately, indirect costs crippled the organisation, forcing the hedge fund to shut down.

Australia’s top university hacked from a single email

In early November 2018, the Australian National University (ANU) fell victim to a sophisticated spear phishing attack. In fact, the spear phishing email didn’t even contain any malicious link or attachment.

The ANU confirmed that the sophisticated threat actor gained unauthorised access to the Enterprise System Domain (ESD) network which housed their human resources, financial management and enterprise e-forms systems.

Vice-chancellor Brian Schmidt commented on the data breach, saying, “This wasn’t a smash and grab, this was a diamond heist.”

How Dangerous is Phishing?

Financial leaders and accounts payable teams should be highly sceptical of emails and websites that purport to provide information or goods. As you can see in some of the phishing examples above, cyber-criminals don’t always need their victims to click on a malicious link or attachment anymore.

Phishing is a serious threat for organisations and their AP teams. This is due to:

• The increased frequency of phishing attacks
• The ease of scaling large volumes of phishing attempts
• The difficulty of spotting increasingly sophisticated phishing attempts
• Investigations needed to prove a phishing attack can be time-consuming and costly
• The direct and indirect costs of recovering from a successful phishing attack

The Australian Competition and Consumer Commission (ACCC) found that the top three most reported scams were phishing (50,015) reports, false billing (16,263) reports and online shopping scams (13,068) reports.

Phishing statistics further demonstrate that the cost of phishing attacks can amount to over $3.2 million. Why so much? Other than the direct costs that organisations face, these sorts of cyber-attacks and cyber-fraud can cause reputational damage, regulatory fines and loss of data.

Cyber-crime’s cost of chaos is real. And a simple phishing email is enough to cause severe consequences.

How Can You Protect Yourself from Phishing?

You can protect your AP team from taking the bait. This often requires a comprehensive cyber-crime strategy, one that looks at three main elements: people, processes and technology. And CFOs are best-positioned to lead a cyber-crime strategy in their organisation – find out how to develop and implement your own.

But there are also some basic rules of thumb to spot and prevent a phishing attack:

• Don’t open suspicious emails, text messages, or answer unknown calls: If you receive unsolicited calls or emails, there’s a higher chance it might be a scammer. Best practice is to verify the individual on the other end, even if the email address is coming from big trusted brands like Facebook, Google, or Microsoft. These organisations will almost never send you an unexpected link and ask you to enter personal or financial information.
• Double-check email addresses – carefully: Make sure to double-check the email address. Scammers using phishing techniques are known to impersonate businesses or individuals. Not only can email addresses be spoofed, but fraudsters also like to create email addresses that look very close to authentic contacts. For instance, you’d be surprised how easy it is to miss a “1” in place of a lower-case “l” when you’re quickly scanning an email address.
• Configure your email security settings: By setting security controls with your email provider, you can block many unwanted messages. You can use tools like spam filters or multi-factor authentication methods to limit the number of malicious emails. We explore six effective email security best practices that your AP team can start incorporating into everyday operations.
• Incorporate a security policy around email management: Develop a security policy that includes but isn’t limited to password expiration and complexity. It’s best practice to routinely create new passwords every 3-6 months.
• Incorporate formal, computer-based training workshops and monthly phishing simulations: Not enough organisations are focusing on phishing attacks, let alone the various types of phishing emails used against them. Allocating security training modules allows AP teams to identify and respond appropriately.
• Implementing security software: By incorporating a security solution, you can detect and investigate any malicious emails or phishing attempts. By having that extra layer of security, you can double-check suspicious activity before falling victim to phishing attacks.