by Justin Massey
April 12, 2023
Attackers are actively targeting answering services and call centers. Relay Hawk customers have reported phishing attacks designed specifically for these industries. This blog post will walk through an example where an attacker sends a phishing email from a call center agent’s email address to a call center’s HR department. If you are a call center owner, manager, supervisor, or agent, reading this blog will help you stay vigilant and protect your business from becoming the next victim.
In this phishing attack, the attacker’s ultimate goal is for a business to send money to an attacker-controlled bank account. The attacker sends an email from an agent’s fake email address to the head of HR. The email's body specifies that the agent has a new bank account number and requests that the head of HR change the account before the next payday.
This phishing attack is a common strategy for attackers, but the level of detail attackers apply to these attacks has grown in sophistication. They have invested time and energy to trick the businesses they target.
The first step in the attacker’s process is to research your organization to increase the likelihood that the attack will succeed. They build a basic organization chart based on data from LinkedIn and other sources. In the security industry, any data an individual can gather about you or a business online is known as Open Source Intelligence (OSINT). For this scenario, let’s say that the organization has the following org chart:
After they have an org chart, they select their victim. HR managers are the likely choice for this example, but the business owner would likely be the victim if you do not have an HR manager. In this scenario, the victim is Lisa Johnson, the HR director. The attacker then identifies who they want the masquerade as. In this example, the attacker selects Michelle Martinez, an agent.
The attacker's next step is to gather the business's email addresses. This information may be available online, or they may simply send an email to a few different variations of the person’s name at the company’s domain to see if the email bounces. Examples:
After verifying the email, they must create an email address that looks like Michelle Martinez sent the email. Relay Hawk has seen attackers use Gmail accounts with email addresses such as firstname.lastname@example.org for these phishing campaigns to mimic other call center email conventions to target call centers. They likely use Gmail accounts because they are free, easy to set up, and won’t set off spam filters.
They then configure the “From” name in Gmail to “Michelle Martinez” so that when the email arrives in the victim’s inbox, it will look like “Michelle Martinez” sent the email.
After the attacker configures the email account, they compose an email to Lisa Johnson that looks like the following:
This email composition isn’t perfect English, but it isn’t terrible. Now the only thing left for the attacker to do is sit and wait for the HR director's response.
Hopefully, your spam filter has caught the email. Spam filters do not work 100% of the time, and you can do a few things to identify this as an attack.
In this example, the name shows “from: Michelle Martinez,” but if you click on the person’s name, you can see “email@example.com.” Depending on your mail client (e.g. Gmail webmail, Outlook Web Access, Microsoft Outlook Desktop, Apple Mail), you may have slightly different ways to check the “from” field. But here is an example from a Google Workspaces email client.
This email says “before the forthcoming payroll is processed,” which you may think, “Oh, no! Payroll is tomorrow! Let me get on that right now!” And that is exactly what the attacker wants you to believe. When something is urgent, you are less likely to think clearly and second-guess whether this email is legitimate. This urgency is subtle, but it could be effective.
Human intuition can be better at detecting illegitimate emails than spam filters. This could be because you know Michelle is on vacation, she just changed her bank account last month, or her signature looks different. If something feels “off,” you are probably right. Even if the email is from a legitimate email, don’t assume everything is OK. If Michelle’s real email is displayed (e.g. firstname.lastname@example.org), it could be because an attacker compromised Michelle’s email account.
If any of the previous bullets set off an alarm, proceed to the next steps.
By responding to the email, you may give the attacker additional information. You will verify your email address is legitimate and will likely include your signature. The attacker can use your signature in future emails to look like you. If another employee saw an email with your authentic signature, they would be more likely to believe it is legitimate.
The attacker could have included a link to your HR system to log into and change the bank account information. However, it could have been a lookalike HR system rather than your legitimate one. If you typed in your username and password, they would now have access to your HR account.
This email is requesting that you change where money is flowing. You likely have some process for changing a bank account and should follow this process. Any time before making a change like this, you should validate the email request out of band. It would be best to pick up the phone and call them. You could also message them on your company messaging system (e.g. Microsoft Teams, Slack), but if their email account is compromised, these accounts may also be compromised.
Depending on the structure of your business, the person you contact about this may vary. If this looks like a targeted attack, it is best to let everyone in your business know that it is occurring so that other employees are aware of it and less likely to fall victim to it.
To train your email provider’s spam filter, you should label the email as spam. Hopefully, the next time an attacker attempts to trick you, the spam filter will be smarter, and you will not receive this email in your inbox.
In security, we can implement preventative measures to stop attacks. These can include training our workforce or implementing technical controls. The following are a few ways to protect your business from phishing attacks:
You should have some form of security awareness training for your employees. Larger organizations have formal training processes and often outsource their training to companies such as KnowBe4. Smaller businesses could use a much simpler approach, such as a wiki that links to articles like this one. After an employee has read the article, they could mark it as read.
2FA is also known as multi-factor authentication (MFA). 2FA would not have helped in this case because the agent’s email was not compromised. If an attacker did compromise the email account, the email would seem legitimate because the email address would have been correct. By implementing 2FA, the attacker will not be able to log into the email account without compromising the second factor. For more information on 2FA and ways to better secure your accounts, please read our blog on A Guide to Creating and Managing Passwords.
Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are methods that mail servers use to identify whether a mail server is sending legitimate emails. If these are not set up correctly for your domain, an attacker may be able to send emails on your behalf from a mail server they control and not be blocked by spam filters. You can use a free tool like MXToolbox to get started.
Keeping your machines up to date would not have prevented this attack. However, suppose the attacker asked the supervisor to download malware masquerading as a different file (e.g. a phone call recording). In that case, the up-to-date device would reduce the likelihood that running the malware on the machine would have ended in a successful attack.
What will you do if someone at your business falls for the phishing attack? You should think through this before being attacked and have a plan to respond.
Phishing attacks targeted at small businesses such as call centers and answering services are becoming more frequent. You can read more about why a hacker may target a small business. In short, larger businesses are getting better at defending against these attacks, so they are moving on to the smaller business.
If you have received a phishing email that you think is targeted at your business that other businesses should know about, please send it to email@example.com. We will anonymize any data from your organization before posting a blog.
If you would like to learn more about protecting your business, Relay Hawk is here to help. Relay Hawk’s product reviews your business security footprint and identifies ways to improve your security posture, so you can reduce the likelihood of a successful cybersecurity attack such as phishing.
Keep up to date
Get the latest cybersecurity news and tips from our experts