In part one, we explored the story of Emma, a junior member of a law firm who was tricked into making a fraudulent payment via business email compromise. After further investigation from the CISO, she discovered that the hacker had taken over the CEO’s email account and impersonated him. To make matters worse, they’d also been able to exfiltrate large amounts of sensitive data using the same credentials.
If you haven’t read the first part yet, you might want to check it out here. In part two, we’re exploring the impacts on some more human characters from the attack on Emma’s fictional law firm.
The line manager
Emma’s line manager, the head of the finance team, is at home worrying about what the outcome of the phishing incident will be on Monday morning. There will be difficult questions for him to answer – why was a remote junior team member able to break process so easily? Had he not provided adequate training and supervision to a new joiner?
He’s also worrying about the impact on Emma. He had interviewed her himself, and knew how much she had wanted the job. However, he also knows that in 89% of data breach incidents there are repercussions for the individuals involved. Emma is still within her probation period and company policy is to let go of anyone who causes a serious breach.
The line manager is acutely aware of how much a dismissal could impact the morale of his team. Everyone will be scared of making a similar mistake, and productivity will take a downturn as employees spend more time worrying about phishing and less time doing what they’re best at.
Deep down, he hopes the decision is made by somebody more senior than himself – as he’s very troubled about the best course of action to take.
It’s a fine balancing act for the line manager to follow and one many businesses have to deal with after a serious breach. Only 43% of IT leaders believe their response to a breach had a positive impact on other employees. And only 54% of employees think their organisation’s security culture trusts and empowers them.
When the client CEO saw an incoming call from her law firm late on a Friday, she knew it was unlikely to be good news. Speaking with the firm’s CISO confirmed her bad feeling. They have suffered a data breach, and highly sensitive information regarding her own business has been exfiltrated by cybercriminals. The potential impacts could be devastating.
She is left in an unenviable position. Her own shareholders and colleagues now need to know about the risks. Her firm has invested heavily into intelligent anti-phishing defences, but she is now regretting this major blind spot in their supply chain. It is deeply frustrating to suffer from a data breach through the actions of another company.
She has a personal friendship with the CEO of the law firm, but is left with no choice but to break business ties with them and distance her company from the negative headlines as much as possible. They may even need to consider pursuing damages against the firm.
Unfortunately this is not an uncommon scenario, and supply chain compromise is an increasing threat to businesses. The now infamous SolarWinds hack in December 2020 shows how serious supply chain compromise can be.
Where there is a financial and human cost to phishing attacks, there’s also gain to be made on the other side. This particular cybercriminal is only 18 years old – and he’s already a millionaire thanks to several successful phishing scams, including his most recent attack on Emma’s law firm.
Over the past few weeks, he’s been busy. He’s meticulously scoured the law firm’s website and social media channels to help plan his attack. His chosen vector of attack was the easy option, email, which 64% of IT leaders identify as their riskiest point of origin.
Finding the name of the CEO and working out his company email address was easy. He then found out which payslip vendor the law firm uses, helping him to craft a believable spear phishing email to target the CEO with. A quick LinkedIn search revealed Emma as a new joiner to the finance team – and a perfect target for an impersonation attack from the CEO’s email account. He just needed to choose one of the client organisations the law firm worked with and add an offshore bank account into the invoice.
Truth told, it was surprisingly easy. His cash has now been converted to Bitcoin, and there is a very low chance the authorities in his own country will ever investigate the crime. The data he has managed to exfiltrate is up for sale to the highest bidder on a dark web marketplace. Now his only decision is whether to retire from cybercrime, or begin planning his next attack.
Want to learn more?
Don’t let this story become a reality for your business. If one person is successfully targeted by a sophisticated phishing attack, such as account takeover or business email compromise, the consequences can be severe for people both inside and outside your organisation.
The only way to stop advanced phishing attacks is through intelligent anti-phishing technology. Shaped by the UK Government’s intelligence agency, GCHQ, Egress Defend uses machine learning and natural language processing to detect all phishing attacks in real time. It works like a human cyber-expert – except it’s one who can unobtrusively watch over every employee at the same time, all the time.