True crime: anatomy of a cyberattack
On a Friday morning last April, Kristi Deason switched on her computer and started checking her inbox. It was a routine she’d followed thousands of times before, but this time she came across something odd. “One email stood out,” explained Deason. “It just didn’t feel right.”
Deason, senior client manager in the Middle Market Payments department at KeyBank, had received a phishing email, a fraudulent message dressed up to look legitimate. The sender was trying to trick Deason into granting access to sensitive information.
Phishing is not new, but its use has skyrocketed over the past few years. The Anti-Phishing Working Group (APWG) observed nearly 1.1 million phishing attacks in the second quarter of 2022, the highest quarterly number the group has ever recorded.1
Fortunately, Deason’s training enabled her to recognize the phishing email for what it was and avoid taking the bait. But what if she hadn’t known how to spot the scam?
Recently, Tammy Gedetsis, a KeyBank Senior Manager for Information Security, led a webinar with Deason to discuss the incident. Kevin Brown, FBI Acting Supervisory Special Agent – Cyber Criminal Squad and Eric Balish, US Secret Service Assistant to the Special Agent in Charge – Financial Crimes joined Deason and Gedetsis to provide tips on how to avoid becoming a victim of cybercrime and the steps you should take if you find yourself in Deason’s shoes.
The spoofing attack
Nearly 28% of the phishing attacks recorded by APWG in the second quarter of 2022 were aimed at financial institutions, making it the most-targeted industry.1 It’s no surprise, then, that KeyBank’s Deason got caught in the line of fire. What did come as a surprise, however, was how authentic the correspondence appeared.
“It was forwarded from an internal partner and addressed to teammates who were part of a shared client relationship,” said Deason. “The sender was someone who actually is at the company – it was legitimate contact information. And the company logo appeared at the bottom of the email.”
The correspondence Deason received was a more sophisticated version of phishing, known as spoofing. While the content of phishing emails is generic, a spoofing email contains details that make it more relevant to the recipient and, thus, harder to identify as illegitimate. Calling on her training, though, Deason was able to unravel the ruse.
“The first thing I noticed was that the last name of the person referenced in the email was misspelled in their email address, and the domain name didn’t match the company,” she explained. “The email was also sent at an odd time, and the wording wasn’t typical for this kind of request.”
The FBI’s Brown commended Deason’s vigilance and attention to detail in this case. “The more you know about your regular course of business, the more you know what right looks like,” he explained. “If it doesn’t look right, it probably isn’t.”
KeyBank’s Gedetsis pointed out that scammers don’t limit their activities to email, and that unexpected correspondence in any form should be scrutinized. “Any channel of communication can be a potential threat, because these actors are using every avenue possible to try to get the information that they want,” Gedetsis explained. “I'm suspicious of any communication I receive, especially if I’m not expecting it or it’s from someone I don't know.”
When in doubt, verify
If you suspect that an email, call or text you received is a scam, the most important thing to remember is not to do anything that might aid the perpetrator. Even seemingly inconsequential actions like previewing an email attachment, responding to a text message or pressing buttons on your phone during a scam call can give the cybercriminal useful information.
“Don’t click on any links, don’t open an attachment and don’t forward the email to anyone else,” said Brown. “Take your time to verify the communication.”
To authenticate the message, call a known phone number and get confirmation directly from the purported sender. If the correspondence directs you to visit a website that’s familiar to you, like key.com, type the web address directly into your browser’s address bar. Don’t navigate to the site from search results, and if you don’t recognize the web address, don’t navigate to it at all.
Once you confirm that you’ve been the target of a cyberattack, it’s important to act quickly to alert others and mitigate any potential damage.
If you see something, say something
In the business world, a scam email, call or text is rarely an isolated incident. “Business email compromises, ransomware, phishing – they are parts of an integrated attack,” said Balish. “Your organization is likely being targeted by multiple attacks at the same time.”
Cybercriminals do this, in part, to try to exploit the vulnerabilities they’ve identified before the alarm can be raised within the organization. They just need one point of entry to advance their plan. That’s why it’s important for individuals and organizations to report incidents like Deason’s, both internally and to law enforcement. Any internet-enabled crime information should be submitted to the Internet Crime Complaint Center2 at IC3.gov.
“If you are the victim of an attack, make sure you report it,” said Balish. “Talk to law enforcement, talk to your clients, talk to your employees. All that communication can help authorities prevent these attacks in the future.”
Gedetsis encouraged KeyBank clients to contact the bank immediately, through their payments advisor, relationship manager or via KeyBank’s fraud hotline at 1-800-433-0124 – or via email to reportphish@keybank.com.
“If you suspect you’ve been targeted, we want you to report that right away,” she said. “The sooner we know something is not right, the quicker we can start taking actions to prevent a crime from happening.”
Added Brown: “When there's a potential financial loss involved, your first call always needs to be to your bank. The second thing you should do is go to IC3.gov and report the incident.”
When it comes to cybersecurity, companies can transform their employees from vulnerability an asset
Unfortunately, no individual or organization with an online presence is safe from cyberattacks. But very few cybercrimes succeed without unwitting help from the target. That’s why the number one way organizations can thwart cyberattacks is to make sure their people know how to recognize and handle them.
“It starts with communication,” said Brown, “making it clear to everyone in the company what these attacks look like, why it’s important to protect the company’s assets, what’s at stake and what their role is.”
Company leaders must also ensure that the corporate culture reflects a commitment to vigilance. “Because these messages are often infused with a sense of urgency, your employees need to know that it's okay to pause, take a breath and verify the authenticity of the correspondence they received,” said Gedetsis.
Added Brown, “Taking an extra few minutes to do that verification is a lot easier and less costly than trying to get money back after you sent it somewhere it shouldn't have gone.”
While organizations still need to invest in technology solutions for regular updates to repel cyberattacks and keep their data secure, their first line of defense against cybercrime is a team of knowledgeable, vigilant and empowered employees.