A Brisbane general practice narrowly escaped donating the contents of its trust account to a cybercriminal’s retirement savings this month when staff realised a caller from one of the big four banks was no such thing.
The caller was helpful and friendly, and able to quote the customer ID number, account balances and the last few trust transactions. The attacker told the staff member that their account was compromised and needed to be “reset” immediately. She reports the caller was extremely convincing.
The usual point of scams like this is to get a genuine user to undertake a transaction (and hand over the session authority), reset a password or authorise the creation of another user account.
The objective might be access to the bank account or to steal information. They may already have a password obtained through Phishing or by using browser hijack software, so they can “prove” who they are by quoting confidential information that only an insider should know.
The fact that an attacker can get this far means that they are already most of the way through the firm’s defences, and all they need is assistance from a distracted or overly trusting insider.
These criminals are extremely good at pulling off this last part of the attack, using many ways 1 to engineer trust. They may have no accent and commonly specialise in attacking a particular industry they know well. As they are not asking for passwords or confidential information (they might just be asking you to okay an administrative action in your security app), the usual internal fire alarm might not warn you something is wrong.
When you think about what was asked of you later, it is may be obvious that it is a scam, but at the time the pressure created by the urgent warning can lead to tunnel vision and impaired thinking. This high-pressure technique is not the only method, though. Other ways attackers can engineer the same result include:
- Sending multiple authorisation requests in the hope the recipient will get sick of it and click “yes” to get the apparently malfunctioning system to leave them alone;
- Sneaking an “authorisation” link into another email, such as a link to a document or news item;
- Impersonating an insider, such as your boss or a manager from another office. Old school scams take the form of an internal email, but the latest version uses AI generated voices to leave convincing messages.
What should you do if you receive an unexpected call asking you to log into an account or approve a log-in?
It is important to ensure you verify who you are dealing with. Being sent “confirmation” emails or SMS messages does not achieve this, nor does the person being able to quote confidential information.
Any call asking you to provide a confirmation code, log in using a link they supply or authorise remote access through a security app is extremely suspicious and must be treated as fraudulent until proven otherwise.
Similarly, any request to grant remote access to “fix” a problem with your computer. Take the person’s name, number and a reference ID. Then call the organisation using their published contact information (NOT the phone number of the original caller).
If it turns out the call is a scam you should call for IT or internal assistance immediately. If a QLS member firm, contact the Cyber Essentials hotline for expert advice to determine the level of compromise (if any) and fix it.
Training and awareness
In the example reported, the financial manager recalled a risk presentation by Lexon warning of pressure scam techniques. The business had made its own luck by ensuring staff had training and reminders.
Multi factor authentication (MFA)
The attackers already had access to the account, but could not steal money because of the last line of defence. MFA can protect information as well as bank accounts. It is cheap, simple and a fundamental protection measure for any business. For more information see the QLS Guide to Multi Factor Authentication.
Ensure every person knows to ask a second opinion if there is something that feels a bit off. Ideally, every employee should be able to ask for IT advice but any second opinion can be useful.
A security culture in which people think about information security and pause before they act is an essential line of defence in the digital economy. In this instance, the financial manager escalated the matter to her partner who ultimately made the call to terminate the call and investigate her concerns.
If you have any questions about this issue or any other aspect of cybersecurity for law firms, please contact David Bowles on 3842 5937 or visit the QLS Cybersecurity website page.
1 For an excellent podcast series opening a window into the wild world of confidence tricksters in the digital age see “Hacking Humans” : https://thecyberwire.com/podcasts/hacking-humans