Cyberattack alert
Beware of emails from fraudsters posing as supervisors! Since the coronavirus pandemic began, there’s been an upsurge in internet fraud. How can we arm ourselves against it?
Has your supervisor suddenly made an unusual, urgent request? If an email gives you an uneasy feeling, it’s worth pausing for a moment. It could be a personalised phishing attack.
This is CEO fraud
ETH recorded a rise in cyberattacks last year. A particularly insidious form of attack is CEO fraud, in which employees are contacted, apparently by their supervisors, and asked to urgently buy gift cards, for instance. Here the fraudsters deceive an employee by email or over the phone in order to gain financial data, passwords or a money transfer. They pretend to be the victim’s supervisor or another senior person in the organisation.
Putting the victim under pressure
Fraudsters often get hold of codes of Google Play or Apple Store gift cards, which the employees buy in good faith with their own money. They do this by preying on their victims’ sense of urgency – putting them under pressure, and leaving them no time to think. Victims are contacted by name and their willingness to help is surreptitiously exploited.
Such attacks are carefully prepared. “Whereas previously phishing emails could easily be spotted by their typos, fraudsters now do extensive internet research,” says Domenico Salvati, Chief Information Security Officer at ETH Zurich. These days, the supervisor’s name is neatly placed above the email address, the address details are copied into the footer, and sometimes even a second email address is created that appears to be the supervisor’s private address.
How CEO fraud often plays out
ETH employee X receives an email request, which seems to have been sent by the supervisor:
- “Hello are you free at the moment? I need your assistance urgently.”
Employee X: “Yes, I’m free now. What can I do to help you?”
- “Okay good. I’m in a meeting just now and need you to get me something right away. Is there a grocery store close to you?”
Employee X: “Yes, there are several close by.”
- “Good, so this what I’d like you to do as quickly as possible. Could you buy me four Google Play gift cards, at 100 francs each? Then please send me photos of the voucher numbers on the cards. I’ll reimburse you as soon as I can, of course.”
Employee X, a little later: “I’ve got the cards. And here are the photos of the numbers.”
- “Thanks! But I need three more cards and I can’t get out of this meeting! Can you help me out again, please?”
Employee X: “….?”
What can I do to prevent this?
- Check the email address: Move the mouse slowly over the sender’s name, but don’t click on it. If it’s not an ETH address, you should be suspicious – even if it carries the supervisor’s name.
- Look out for distinguishing features: Often the request is very urgent, to leave you no time to think. It appeals to your willingness to help.
- Pay attention to digital signatures and use them yourself. This is the only way to clearly identify the sender.
- Never click on links or attachments in dubious emails
- Never give out passwords, even if the request seems trustworthy.
- Look up the sender and contact them via their official ETH telephone number or email address to verify the information.
I’ve received a phishing email. What should I do?
- Forward the suspicious email to the IT Services support centre – as an attachment!
- If you’ve clicked on something or have been the victim of a cyberattack, contact the IT Service Desk immediately: and/or the IT support group for your department.
- If you’ve bought prepaid cards or made a transfer, try to reverse this as soon as possible (at the bank or the customer contact point).
A little suspicion is no bad thing
Particularly now, when many of us working from home have no direct contact with colleagues and can’t check up on things easily, it’s wise to be cautious.
Online scammers are sneaky, and skilled at using human nature to set up contact. That’s why it’s crucial always to be alert, especially when working from home. If we deal openly with this issue and warn others, scammers will have a much harder time of it.
You’ll find more on CEO fraud, phishing and internet fraud on the IT Services website, under information security and awareness.