Technical email security solutions excel at stopping attacks against your computer systems. However, they don’t do so well stopping attacks against human behaviour and business processes.
There’s a new type of phishing email that’s becoming more common, as it is extremely clever at tricking the end user, called a Payment Redirection Phishing Email. This phishing email type is growing fast, so you need to be aware of what to expect and how to protect your company and yourself.
What is a Payment Redirection Phishing Email?
A Payment Redirection Phishing Email is a type of phishing email that is designed to intercept a scheduled or expected payment and redirect you to pay the scammer instead of the intended recipient. Sometimes, these are sent randomly, and sometimes they are sent at a time where payment discussions may likely happen (towards the end of the month, for example). However, in certain sophisticated scenarios, these are sent at the exact moment you expect them from the sender you are expecting to hear from. These are the toughest to defend against and are a good reminder to always be weary in any emails around payment updates and changes.
Payment Redirection Email Patterns
Recently, I’ve investigated a number of Payment Redirection security incidents that all share a common pattern.
The attacker typically follows these steps:
- Research the target, typically someone with authority to approve payments
- Find a likely recipient of funds such as a supplier, employee, or shareholder
- Either take over the recipient’s email account, or simply create a similar-enough looking email address
- They would then contact the target, telling them the recipient banking details have changed, and ask for next payment to be made to the new account
- In order to pre-empt phone verification, they will include a phone number in the email that will usually be a non-existent number or controlled by them
Once the payment has been made this is usually unnoticed until the genuine recipient starts making enquiries.
What can we do to protect against these Payment Redirection Phishing Emails?
The general advice is to invest in security awareness training, which is designed to prepare you and your colleagues to handle these types of threats and more.
In the case of Payment Redirection Emails, the most important defense is to never trust an email that asks you to send money or change the existing payment details without verifying in person or via an existing phone contact (not the contact within the email, that’s one of the ways they trick you).
It may seem like extra, unnecessary steps, but these steps are extremely necessary. While it may take you an extra ten minutes to verify, it could potentially save you weeks of headache, not to mention the money you will lose if you become victim to one of these scams.
Learn more about Security Awareness Training, provided by Calibre One.
As always, stay vigilant.