3 new phishing attacks that will catch advisers off-guard

A new trend is emerging among cybercriminals, and it’s one that could have a deep impact on financial advisory firms and wealth advisers in general.

“Hybrid” phishing attacks — a new evolution in the traditional phishing email — are becoming increasingly popular among hacking groups as a way of bypassing business cybersecurity. These attacks borrow many strategies common to conventional phishing emails, such as impersonation, “spoofing” and “social engineering”; however, they are different in how and where they are carried out. Hybrid phishing attacks target employees more directly — and personally — over communication channels that are typically unmonitored and unprotected. They also frequently exploit the work-from-home dynamic.

Advisers need to be aware of these new tactics because they’re likely to be a frequent target of hybrid attacks given their access to high-net-worth clients. Additionally, as more advisers work remotely and turn to messaging apps, SMS, Slack and social media to communicate, they’re exposing themselves to a higher risk of exploitation through impersonated and hijacked accounts. This can lead to stolen passwords, leaked client information and financial fraud.

Here are three hybrid phishing attacks advisers need to be prepared for:

SMS AND WHATSAPP PHISHING

Cybercriminals increasingly use SMS and messaging apps like WhatsApp to carry out sophisticated phishing campaigns aimed at stealing employee logins and two-factor authentication codes.

These attacks can be difficult to detect because mobile messages aren’t authenticated the same way emails are. Mobile carriers allow any phone number, including VoIP and fake phone numbers, to send text messages to a person’s phone without verification.

One of the most common types of “message phishing” attacks is the fake IT notification. In this attack, the victim will be messaged by an IT admin impersonator about an important change to one of their IT services or accounts, such as Office 365, VPN or a remote access tool. The fake IT admin will then require the person to update or verify their account by logging in through the provided link. These attacks can occur in multiple stages, as the attacker first steals the login and then goes after the two-factor authentication code to bypass any account protections. While the primary theft occurs via SMS or messaging apps, the hackers may also combine this with a phone call or other communication to put additional pressure on the victim.

LINKEDIN SPEAR-PHISHING

While hackers frequently use fake LinkedIn notifications in traditional email phishing scams, the online platform is also becoming rife with social engineering attacks that target its users directly through its own messaging channel.

[More: Determining if a message from Social Security is a scam]

These attacks can be very sophisticated, with carefully constructed fake profiles that are difficult to distinguish from real people. In some cases, cybercriminals are even using artificial intelligence tools to create synthetic headshots that look remarkably real and can’t be reverse searched.

Wealth advisers are most likely to be targeted by fake accounts posing as potential clients (such as international business executives or high-net-worth individuals) or headhunters. The hackers will send invites and direct messages that try to lure the adviser into clicking on a link that redirects them to a malicious website that can steal information or infect them with malware. Although LinkedIn does scan for viruses in attached files sent through its messaging channel, sophisticated hackers may still be able to beat this security check — so advisers shouldn’t let their guards down.

The main goal of LinkedIn attacks is typically credential theft or malware infections. This malware can include “info-stealers,” which steal passwords and other data from the adviser’s devices, and “remote access trojans” or “back doors,” which the hacker can use to gain remote access and control over the device and then move deeper into the firm’s network.

BEC-STYLE ATTACKS ON VIRTUAL PLATFORMS

Business email compromise, or BEC, attacks have been extremely effective for cybercriminals for many years — and because of this they are now moving to other platforms beyond email.

In a BEC-style attack, a hacker gains control of a legitimate user’s online account, and then uses it to launch highly targeted phishing attacks on the victim’s business and personal connections. This may include “conversation hijacking,” where the hacker inserts herself into an existing conversation to launch her attack.

One area where we’re seeing BEC-style attacks beginning to emerge is in virtual collaboration platforms like Slack and Microsoft Teams. These attacks can be extremely difficult for advisers to detect since the message will come from a trusted colleague, IT staff or executive. Also keep in mind that some platforms, like Slack, don’t flag suspicious messages, analyze the reputation of web links or scan attachments for malware.

Hackers are able to hijack Slack accounts in several ways, one of which includes bypassing the password altogether. Known as a “pass-the-cookie” attack, the hacker simply steals the person’s browser session cookie, allowing him or her to sign in as the legitimate user. Cookie theft is now so common, it’s relatively easy for a hacker to buy these tokens on the Dark Web.

BEC-style attacks can target advisers in several ways, including fake requests for sensitive internal information and files; fraudulent wire transfer requests (often from an executive); and fake password reset requests from an IT department impersonator.

HOW TO PREVENT THESE ATTACKS

Hybrid phishing poses new security challenges to advisory firms since these attacks are more difficult to detect and prevent. However, there are several simple steps advisers, and their firms can take to reduce their risk.

The first and most important is to apply basic security rules to all communication channels. This means an adviser should never click on a link or download an attachment unless they’re sure of the person who sent it. Sensitive information should never be shared outside proscribed communication channels, like work email, or stray from specific company procedures. For advisers, every professional and personal account, from email to WhatsApp, LinkedIn and Slack, should have a strong and unique password, and dual-factor authentication enabled.

Firms should also implement access controls, network segmentation and data backups to offset the risk of any successful account compromise.

Dr. Chris Pierson, CEO and founder of BlackCloak, served for over a decade on the Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee. He’s the former president of the FBI’s Arizona InfraGard and former chief privacy officer for Royal Bank of Scotland.

Related Topics: linkedin, WhatsApp