A reminder: phishing and brand-spoofing works best against the unsecured and unaware.
A phishing scam perpetrated by a man stealing sensitive personal information from high-profile individuals should provide a warning sign to organizations of all sizes: this could happen to you without the right safeguards in place.
According to a report in Dark Reading, a Dacula, Ga. resident named Kwamaine Jerell Ford has pled guilty to one count of computer fraud and one count of aggravated identity theft in a scheme where he stole credit card information from the Apple accounts of celebrity rappers, NBA and NFL players.
Dark Reading reported that the number of targets who fell for the phishing scam totaled in the dozens.
According to the US Department of Justice, the 27-year old cybercriminal posed as an Apple customer support representative in thousands of phishing emails asking targets to reset their accounts, through which he gained access to their account and then stole credit card numbers. He then made a series of high cost purchases using these stolen cards including air travel, hotels, and furniture, and initiating money transfers to online accounts.
"The high-profile victims in this case are an example that no matter who you are, hackers like Ford are trying to get your personal information,” said Chris Hacker, Special Agent in Charge of the Federal Bureau of Investigation (FBI) in Atlanta.
Phishing attacks big and small
Phishing is the go-to attack technique for both high and low-profile attacks, and has been for years. While in this case the attacker focused on high-profile celebrities, this same level of targeting and brand-spoofing is used to victimize regular companies, their executives and staff every day.
The reason why we keep seeing these types of phishing attacks over and over again—no matter the size of the target or if they’re going directly after money, corporate IP or personally identifiable information (PII)—is a simple one: they consistently work. They work in part because of human nature and how sometimes people can be overly trusting and very busy.
The FBI offered sound advice in this instance, asking people to “be careful in protecting personal information and passwords, especially in response to suspicious emails.” For organizations, this advice is a good start as well, but it takes more to achieve cyber resilience against sophisticated attackers.
The best defense is to use email and web security systems that are built to defend against targeted phishing such as these, provide continuous security awareness training for the entire organization, and to implement business processes and data handling that aren’t vulnerable to a single point of failure.
And it is key to remember that you or your organization does not need to be high-profile to be targeted by these types of phishing attacks.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly