Don't get phished: Businesses here lost around $43 million in 2017 due to e-mail impersonation scams

The tactic used to carry out cyber crime is on the rise in Singapore, with business e-mail impersonation scams jumping by nearly 10 per cent between January and July last year

You would not allow a thief to enter your home, but what if the thief was disguised as someone familiar and tricked you into opening the door?

Phishing works in the same way - people open the doors to their data, giving up usernames, log-in information or other information to malicious e-mails, links or websites masquerading as reliable ones.

The sneaky tactic is one of the most commonly used tools by hackers to launch cyber attacks or carry out crimes and its occurrence is on the rise in Singapore.

The Singapore Police Force received more than 200 reports about business e-mail impersonation scams between January and July last year, an increase of 9.7 per cent from the same period in 2017.

Business e-mail impersonation attacks are a phishing tactic used by cyber criminals designed to trick users into making wire transfers or giving up information to them. In such attacks, cyber criminals pretend to be superiors, management staff or even staff from external companies with whom the targeted user works.

It was reported last year that businesses here lost around $43 million in 2017 due to e-mail impersonation scams. This figure was $25 million in 2016.

Singaporeans are pretty used to filling up forms asking for all kinds of personal data and are used to thinking of Singapore as a safe place. These turn Singapore into a soft target for phishers. 

SOCIOLOGIST TAN ERN SER.The Symantec Internet Security Threat Report shows that phishing levels here were more than 12 per cent higher than the global average

Last year, a case of a 22-year-old man who lost nearly $50,000 highlighted the dangers of phishing.

The money was transferred from his bank account without his consent after he had earlier received a call saying he was linked to an alleged kidnapping incident.

He was directed to two phishing websites and told to key in his bank details at each website and download a software to allow the computer to be accessed remotely.

According to a report by the Cyber Security Agency, phishing instances here jumped by almost 10 times from 2016 to 2017. There were 23,420 links found, up from 2,512 in 2016.

While phishing is not new, it has remained a popular tactic among cyber attackers because of how easy and effective it is in gaining entry into a secure system.

Mr Matthew Bennett, vicepresident and managing director of Asia-Pacific and Japan at cyber security provider Carbon Black, called it "one of the most commonly deployed attacks around the world".

He says: "All it takes is one unsuspecting user to click on a malicious link sent in a cleverly crafted e-mail and an entire supply chain can be breached."

This is what happened in Singapore's worst cyber attack, the SingHealth data breach. Thanks to a phishing e-mail, the attackers got into the healthcare cluster's system and moved around in it before making off with the stolen data of more than 1.5 million patients, including that of Prime Minister Lee Hsien Loong.

There are two main forms of phishing: mass phishing and spear phishing.

Mass phishing, which involves generic e-mails or links that have no specific targets, is usually sent to a wide range of people and is therefore not always very effective.

Mr Sherif El Nabawi, vice-president of systems engineering of Asia-Pacific and Japan at cyber security provider Symantec, says: "Mass phishing generally has a very low success rate since these are sent to large groups of people and often detected very quickly."

 
 
 

On the other hand, spear phishing involves attacks that have been planned to specifically target their victims and is more dangerous.

Mr Bennet says: "Spear phishing attacks are so dangerous because they rely on social engineering tactics wherein an attacker will research a victim, sometimes for months, and send them a tailor-made e-mail that the unsuspecting victim would think is coming from a friend, colleague or family member."

Mr Nilesh Jain, vice-president of South-east Asia and India at Trend Micro, says these targeted e-mails go beyond just the text they contain. "An unwanted e-mail that slips through a company's gateway security can easily fool a recipient if the visual and content cues in the e-mail match what the recipient typically encounters in a business context," he said.

"Logos, certain wording and even the sender format can all be used to deceive the user."

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay, says phishing is popular because it relies on the human factor and no amount of patching, firewalls or system updates can totally protect systems.

Mr Tan, who specialises in technology law and data protection, adds: "Phishing preys on human weaknesses, such as lapses of concentration or tiredness and is, therefore, very difficult to defend against, unlike, say, a technology attack which can be corrected."

SINGAPOREANS TOO TRUSTING

Singapore, in particular, seems to be more prone to phishing attacks. This year's Symantec Internet Security Threat Report showed that the phishing levels in Singapore were more than 12 per cent higher than the global average.

National University of Singapore sociologist Tan Ern Ser notes that Singaporeans are usually trusting of official channels, which makes them let their guard down when it comes to phishing attempts.

"Singaporeans are pretty used to filling up forms asking for all kinds of personal data and are used to thinking of Singapore as a safe place. These turn Singapore into a soft target for phishers," he said.

Phishing is also evolving and could get even more dangerous as hackers and scammers use technological developments to sharpen this already effective tool.

Mr Sherif points out that rapid advancement in fields such as machine learning and automation are being incorporated into such attacks.

He says: "Artificial intelligence can enhance phishing and other social engineering attacks by creating extremely realistic video and audio or well-crafted e-mails designed to fool targeted individuals."

But this does not mean that people are defenceless and cannot do anything to prevent themselves from being caught in the phishing net.

Practising good cyber hygiene habits and having a keen sense of awareness can go a long way, say experts.

Mr Jain says most companies will not ask for sensitive data from their customers, and Internet users should not allow themselves to be easily fooled by phishing e-mails and links by looking out for clues that could indicate if they are fake.

"When in doubt, users should verify with the company itself to avoid any potential issues. Additionally, users should always take a close look at the sender's display name when validating the legitimacy of an e-mail," he adds.

"Most companies use a single domain for their URLs and e-mails, so a message that originates from a different domain is a red flag."

A domain name is the address that is typed into a website browser address bar, to get to a website. It is unique to the website and cannot be shared between different websites.

Mr Douglas Mun, deputy director of the National Cyber Incident Response Centre at the Cyber Security Agency, advised users to look out for mismatched information, which can be Web addresses. They should also avoid clicking on links from unsolicited or suspicious e-mails.

He adds: "They are also advised to verify the authenticity of requests before releasing personal information or making changes to payment instructions, by contacting the organisations in question."