Preventing a Very Human Phishing Attack: A Case Study
Over the past couple of months, Tech Impact has seen a significant increase in the scale and sophistication of email-based attacks against nonprofits. Most of these attacks aren’t technologically sophisticated—instead, they use advanced forms of social engineering to try to trick people into helping the attackers steal money, account credentials, or other valuable resources.
We wanted to share a particularly notable real-world example to highlight a type of attack that’s hitting lots of nonprofits at the moment and offer some zero-cost solutions to help reduce your risk.
The Payroll Change Request Scam
Here’s how this attack plays out: A nonprofit’s Human Resources department receives an email from a staff member asking for her payroll direct deposit to be moved to a new checking account. HR replies to the email and attaches a payroll change form for the recipient to complete to authorize the change. The employee replies that they’re too busy to complete the form right now or are away from their computer, promises to fill out the form later, and asks HR to push through the change immediately “so that it happens in time for this upcoming payroll.”
The unsuspecting HR department processes the change and instructs the organization’s payroll provider to deposit the employee’s paycheck in the new account.
Of course, by now you’ve figured out that the initial email didn’t actually come from the employee, and that the entire thing was a scam that preyed upon some very human emotions.
The initial request can vary in sophistication. In the most advanced cases, this attack is executed using the target’s real organizational email account after the credentials were stolen via a previous phishing attack. In less polished variants, the initial emails come from random external email addresses labeled with the target’s name, or from a Gmail address with a similar name.
Tech Impact has dealt with three cases of this particular attack in the past two weeks alone. One of these attacks did ultimately result in someone’s paycheck being deposited into a bogus account, and another would have been similarly successful if the HR department hadn’t called the targeted staff member to ask a clarifying question about their accounts. (Naturally, the staff member had no idea that any account change had been requested.)
These attacks succeed because they rely upon common human behavior—we’re all busy, and we tend to not watch too closely if things don’t look obviously out of the ordinary. And we shouldn’t have to. It’s too much to ask busy HR staff to conduct detailed forensic analysis of every email they get to confirm that it’s legitimate—so how can organizations protect themselves from this kind of scam?
First, some definitions:
- Hacking is when a bad actor uses exploits to gain access to something they do not normally have access to.
- Phishing is when someone masquerades as a trustworthy source in an attempt to bait users to surrender sensitive information, such as username, password, or credit card number.
As a very simple metaphor, think of a door—a hacker would pick the lock, a phisher would convince you to open the door and let them in.
This particular type of attack falls into the latter category. Because phishing relies on social engineering rather than a strict technical breach, it’s more difficult to protect against because it requires retraining people to be more skeptical, which can slow down our work as well. So, again, how do we protect against such exposure?
There are some technical approaches, according to Tech Impact’s Infrastructure and Security Lead Jordan McCarthy. For example, we could implement enhanced email sender verification via the DMARC standard or Office 365’s Advanced Threat Protection, which would block all messages purporting to come from any member of the organization’s staff that don’t actually come from their organizational email accounts. But that’s not a perfect solution. For one thing, a rule blocking external mail from Allison Smith won’t necessarily block external mail from A1lison Smith—and it would prevent anyone from emailing the organization from their personal accounts.
Because a phishing attack requires human intervention, the best way to prevent it is with human intervention, Jordan said—such as implementing a strict organizational security policy for any sensitive transaction involving account or password changes or financial transactions. Requiring direct verbal acknowledgment from the person making the request to the person with the power to execute it for any such change would go a long way toward preventing similar attacks.
As security technology gets better and better, hackers are increasingly targeting the weakest part of organization’s defenses: human nature. A combination of sound policies and security training can go a long way toward shoring them up. In the absence of better policies and general awareness of security risks, technical defenses will really just provide a false sense of security.
And you can download our free security resources for nonprofits created by Idealware, including What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk and the Nonprofit Technology Policy Workbook, which will help you create and document policies for the acceptable use of technology and networks, personal devices for work, how to provide IT guidance to “accidental techies,” how to respond to an IT incident, and how to recover your technology after a major disaster.
Overwhelmed by the number of things you know you’re supposed to do to keep your organization secure, and need help prioritizing? Need a hand establishing security protocols or policies? Want a trusted advisor you can consult with on a regular basis about emerging security threats and defenses? Whatever your specific security needs, Tech Impact is here to help. We have a full suite of IT Security Services for Nonprofits, including IT security assessments, modern authentication and ongoing consulting services. Request a free consult and let the Security & Infrastructure team know a bit about you and the kind of support you’re looking for.