How to defend against phishing attacks from trusted partners

When a business is targeted by a phishing attack that seemingly comes from a trusted partner, it can be much harder for the recipient to spot the attack. The attackers use the initial victim’s real email account and existing long-established relationships with years of built up trust to as a way to more easily compromise additional victims. This means that the hacker is far more likely to succeed in tricking the recipient into losing their own credentials, or convince them to make a fraudulent financial transaction.

Steps to creating a strong defence against third-party phishing attacks

Defending against trusted third-party phishing attacks takes all the standard security awareness training, plus a few extras; designed to fight threats coming directly from legitimate, trusted partners. They include:

1. Awareness of the possibility of phishing attacks from trusted partners

First, and foremost, you need to make people aware of the growing threat of trusted third-party phishing. People can’t fight and defend against a threat they don’t know about.

When you make people aware of trusted third-party phishing attacks and how they must be skeptical of ALL emails, even those coming from current business partners and friends, they can begin to better defend themselves. You must give them the relevant facts so they can begin a new way of thinking to fight all phishing.

2. Notice any email that asks you to take an action

Trusted third-party phishing means that receivers must be particularly skeptical of ANY request for an unusual or unexpected action, even when coming from a trusted business partner. Employee training should include that any request that can manipulate financial transactions or confidential actions must be reviewed.

3. Phone the trusted partner for verification

The quickest and simplest way to verify a request and avoid becoming a victim is to simply call the person or business who sent the original email, using a phone number that you already have or can get from a verified source. Do not verify a request by replying to the original email, or by calling a number listed in the email. Emails sent back to the trusted partner may be intercepted by the hacker, and new hard-to-trace phone numbers are easy to set up.

4. Understand that a lot of effort goes into making a fake company look real

The most successful scam artists have actually created real, incorporated companies which have names very similar to the real companies they were impersonating. They can have articles of incorporation, bank accounts at legitimate, recognisable banks, invoicing, staff, payroll, and whatever else they needed to be seen as a real company.

Interestingly, the owners of these fake companies are more likely to be caught, arrested, and jailed when the scam comes falling down because they have a long legal paper trail that follows them. They know it, but it doesn’t seem to stop them from doing it. The key point here is that existence of a real, verified, company with a physical mailing address, an ongoing relationship, and so on, doesn’t mean the company is legit.

5. These attacks take place over a long time

It’s unlikely the first communication you receive will be the one asking you to take an action. Many of the more elaborate scams start out with seemingly innocent conversations. For example, an email will arrive from a business partner letting you know they will be changing banks and updating routing registration information in a few days or next week. The idea is they want to lull the victim and prepare them for the coming real, bigger ask that comes later on.

The criminals behind these types of scams will go to great lengths to fool you. Dozens of emails, multiple phone calls, and lots of legal documents are often involved in these scams. The length of the scam and the multiple other forms of legitimate communication over time can lull the victim’s early suspicion.

6. Involve the police

As we’ve learnt in our Business Security Briefings with the police, getting law enforcement involved rarely helps arrest the online scammer, especially if they are originating in another country. However, the long-term nature of these scams and the involved legitimate, legal paper trails can assist law enforcement with prosecutions.

7. Warn the original victim company

It goes without saying that you need to let the legitimate, involved partner know that they are compromised. If possible, do it in a phone call to a legitimate, known phone number. You don’t want to give scammers or hackers any warnings in case they are monitoring email, as they often do.

8. Don’t become that compromised third-party

Make sure you and your organization don’t become that original, compromised party that then becomes used to compromise other partners. Make sure your own security is up to scratch, then also make sure you educate your employees and partners about the risks. For financial transactions, tell your partners to be skeptical of any sudden changes in invoicing or billing. Tell them to call you on a legitimate phone any time a change in financial information is requested. Make it a written, enforced policy that your staff do the same for requests from other companies.

Trusted third-party phishing is a growing risk to all organisations. Employees need to be made aware of such scams, given examples, and told how they can defeat them.

Prepare your business to defend against phishing attacks

TiG’s all-round security package, Guardian, offers all the software you need to secure your business, along with advice on strategy and policies that will protect the way you work. Take a look at the Guardian page or contact us for more information.

Enabling specialist UK businesses to unleash their true potential.

Get in touch