How leaked company credentials are creating a phishing tsunami in 2021

email scams, email scam, invoice scam

2020 saw phishing scams skyrocket to 75 per cent more attacks than in 2019, with more bad actors taking advantage of the shifts in how we work and live due to the coronavirus pandemic.

Despite many companies recognising the importance of cybersecurity measures, few are taking appropriate measures to effectively prevent cybercriminals from accessing and exploiting stolen credentials, particularly over the dark web. Business and security executives need to become vigilant about not just preventing attacks from external parties, but also protecting the data and information under their own watch.

All it takes is one wrong click

There are three common tactics bad actors use leaked company credentials for:

  • Business email compromise (BEC): This is where a bad actor poses as business owner or corporate executive and sends a convincing email to a staff member to perform an urgent money transfer or payment.
  • Credential theft/URL: Also known as dynamic phishing sites, this refers to when a bad actor emails a targeted user within the business which contains a link to a newly set-up legitimate-looking domain or web page, such as an Office365 account verification login page.
  • Account takeover: This form of external impersonation is when a well-known third-party supplier or partner of a business has an account credential stolen and the bad actor launches a targeted impersonation email attack from the trusted third party domain on an unsuspecting business employee to request payment of an invoice.

While the above scenarios may seem obvious to recognise, it is worryingly common for working professionals to be convinced by these types of emails and communication. Particularly during the pandemic as there was heightened uncertainty and vulnerability among employees, cybercriminals took advantage of many workplaces letting their guard down.

Opening the floodgates to cybercrime

Phishing attacks on individual employees can mislead victims to believe their personal information and credentials have merely been stolen or exploited. The reality is much worse. Phishing of an individual is commonly a strategy to access an entire network of data and information. With one individual’s credentials, bad actors can conduct spear-phishing and password re-use attacks to exploit an entire business.

In 2019, Scamwatch said BEC scams alone netted $5.3 million across Australia, and it was found 62 per cent of small businesses had been hit by some level of cybersecurity breach. Business owners under the illusion that cyber-attacks impact a small portion of SMEs in minor ways need to rapidly re-assess their own technology setups and be prepared for the high likelihood of an attack in the short-term.

2021 will see more phishing attacks than ever

Bad actors who use phishing techniques thrive on vulnerability, urgent financial-related news and current affairs, and reasons for urgent executive communications. With many businesses adopting longer-term or permanent plans for staff to work from home, more forms of communication will shift to online methods than ever before. This lessens the likelihood of staff being able to check with colleagues in person about a suspicious-looking email or unlikely request from a colleague who may otherwise be close by. Instead, employees will need to rely on their own caution, which research shows are highly unreliable.

In 2021, more than ever, businesses of all sizes cannot rely on basic or outdated cybersecurity measures. With Australians losing a combined $176.1 million to scams last year, now is the time to invest in enterprise-grade cybersecurity solutions that are priced for SME budgets and can pre-empt and avoid the costs of attacks down the line. 

Roger Carvosso, Strategy and Product Director, First Wave Cloud Technology