May 24, 2023

Will our technician be paid in May?

Will our technician be paid in May?

At Nimblr, we work to develop the world's best IT security training for end users. With regular micro-courses and simulated phishing emails, we build security awareness and resilience in our clients' employees. But what happens when one of our own employees is exposed to advanced spear-phishing?

Update your payroll account

On a sunny day in late May, Nimblr's HR Manager chose to work from home. With heavy traffic and children leaving school earlier than usual, Caroline sometimes chooses to work from her home office. On this day, a relatively ordinary email landed in Caroline's inbox. The email appeared to be from a colleague, Gabriel, a support engineer who works in the same office as Caroline. Gabriel had a simple question; he had switched banks and asked Caroline to update his account number so that his upcoming monthly salary would be credited to the right account.

The sender of the email had the correct first and last name, and it was signed with the same name, along with the correct title "Technical Support Specialist". There was nothing particularly strange about either the email or the request.

Bilden föreställer ett email på ett phishingmail.

Practice makes perfect

Instead of updating Nimblr's payroll system with the new account number for the May payroll, Caroline became suspicious. Like everyone else at Nimblr, Caroline participates in the automated training program, the same system that Nimblr provides to its customers. Thanks to regular Security Awareness training and simulated phishing messages, the attack ended here. Gabriel's salary will be paid, to the correct account, in May as well! 

The email Caroline received was a spear-phishing message sent from a newly created Gmail account. It contained no viruses or links, but a fraudulent message that could have put an end to Gabriel's intended Friday fun and sent his salary to a fraudster;

To phish a phisher

After Carolin reported the incident to our security officer, we decided to continue the dialog with the attacker and gather more details about the modus operandi. The new account number was never mentioned in the initial email, presumably to reduce the risk that recipients who were not fooled would report the account number to the bank, which could then block it.  We replied to the fake email and explained that it would be no problem to update the account number, just send the details to us. We quickly received a reply back, containing a picture of a document with the account number where the attacker wanted us to continue sending Gabriel's salary. We were now able to report the account number to the bank and hopefully stop any unauthorized payments to the account.

Bilden föreställer ett fotografi på falska kontouppgifter.
Most likely, the attacker chooses to send the account details in an image to avoid triggering email filters.

Spear-phishing using AI?

How did the scammer know who was responsible for the payroll system at Nimblr? How did they know that Gabriel worked at the same company, and that his title was "Technical Support Specialist"? All this information can be retrieved from LinkedIn with a little research, or through a relatively simple program code and some logical assumptions.

This type of scam is usually more time-consuming to create than other, more generic mailings. However, it can be assumed that this was one of many messages, perhaps automatically created using AI, which is fed basic information about many different victims, and then spits out thousands of customized fraudulent emails;

Watch out and start training your users

Fingers crossed that other recipients of similar messages are as prepared as the HR manager at Nimblr. If you feel unsure about the state of resilience in your organization, I recommend you book a demo with us at Nimblr. We can then tell you more about how you can continuously train, test and keep your colleagues updated on the ever-present online attacks.

Making the internet safer