At Nimblr, we work to develop the world’s best IT security training for end users. With regular micro-courses and simulated phishing emails, we develop security awareness and resilience among our clients’ employees. But what happens when one of our own employees is exposed to advanced spear-phishing?
Update your payroll account
On a sunny day late in May, Nimblr’s HR manager, Caroline, decided to work from home. With heavy traffic and children leaving school earlier than usual, Caroline sometimes chooses to work from her home office. On this day, a relatively ordinary email landed in Caroline’s inbox. The email appeared to be from a colleague, Gabriel, a support technician who works in the same office as Caroline. Gabriel had a simple question; he had switched banks and asked Caroline to update his account number so that his upcoming monthly salary would be credited to the correct account.
The sender of the email had used Gabriel’s correct first and last name, and even signed off with the correct title, ‘Technical Support Specialist’. There was nothing particularly strange about either the email or the request.
Practice makes perfect
Instead of updating Nimblr’s payroll system with the new account number for the May payroll, Caroline became suspicious. Like everyone else at Nimblr, Caroline participates in the automated training program, the same system that Nimblr delivers to its customers. Thanks to our regular Security Awareness training and simulated phishing exercises, the attack was halted here. Gabriel’s salary will be paid, to the right account, in May as well!
The email Caroline received was a spear-phishing message sent from a newly created Gmail account. It did not contain any viruses or links, but a fraudulent message that could have put an end to Gabriel’s intended Friday fun and sent his salary to a scammer.
Phishing a phisher
After Caroline reported the incident to our security officer, we decided to continue the dialog with the attacker and gather more details about the modus operandi. The new account number was never mentioned in the initial email, presumably to reduce the risk that recipients who were not fooled would report the account number to the bank, which could then block it. We replied to the fake email, explaining that it would be no problem to update the account number, just send the details to us. We quickly received a reply back, containing an image of a document with the account number where the attacker wanted us to continue sending Gabriel’s salary. Now we were able to report the account number to the bank and hopefully stop any fraudulent payments to the account.
Most likely, the attacker chose to send the account details within an image to bypass email filters.
Spear-phishing using AI?
How did the scammer know who was responsible for the payroll system on Nimblr? How did they know that Gabriel worked at the same company, and that his title was “Technical Support Specialist”? All of this information can be retrieved from LinkedIn with a little research, or through relatively simple program code and a few logical assumptions.
These types of scams are usually more time-consuming to craft compared to more generic phishing attempts. However, it can be assumed that this was one of many messages, perhaps automatically created by AI, which is fed basic information about many different victims, and then spits out thousands of customized fraudulent emails.
Watch out and start educating your users
Fingers crossed that other recipients of similar messages are as prepared as the HR manager at Nimblr. If you’re uncertain about your organization’s resilience, I recommend booking a demo with us at Nimblr. We can then tell you more about how you can continuously train, test and keep your colleagues updated on the ever-present online attacks.