TORONTO — Fraudsters have become creative in disguising email that contains dangerous links and attachments and Canadian firms may be falling for the scams more often than those in other countries.
“We’ve seen everything from fake divorce papers to fake medical diagnoses, sometimes not even for the recipient of the email,” Proofpoint senior vice-president Ryan Kalember said in an interview at a Toronto cybersecurity conference.
“Humans are naturally curious creatures. We’re going to fall for that at some rate.”
A recent Proofpoint analysis found nearly 100 criminal cyber campaigns that targeted Canada between Jan. 1 and May 1 this year, in addition to thousands of other generic campaigns that reached Canada through the internet.
One type of malware noted by Proofpoint was DanaBot, which has been used to send out Canada Post-themed lures.
“We’ve seen a couple of campaigns leverage Canada Post branding. And that’s not uncommon. Package-delivery lures are always somewhere in the top five in terms of phishing that works for attackers,” Kalember said.
The danger for people who get such emails is that they may download software that could grab passwords, or send more fraudulent spam messages to reach more victims, or lock out access to system files.
David Masson, the Canada country manager for Darktrace — a cybersecurity firm — agrees that spoofing scams that hijack well-known brands are quite common internationally and Canada’s experience is similar.
But Masson said a Darktrace analysis last year found its Canadian clients were about three times as likely to download malware compared with clients in other countries.
“Which would indicate to me, that people were receiving links, phishing emails, business compromise spoofs — people being tricked …. into effecting the attack on themselves. You know, victim-operated attacks,” Masson said.
However, Masson sad there is a lack of official statistics on this type of security breach.
A database search done for The Canadian Press by the Canadian Anti-Fraud Centre suggests there’s been a rise in reports of suspected Canada Post-themed scams this year. It found 35 suspected frauds using Canada Post branding over 12 months ended May 1, including 26 in 2019.
The Office of the Privacy Commissioner said in an email that it was aware of this type of email spoofing, but had not heard anything specific to Canada Post and had not “received any recent complaints that relate specifically to this type of breach.”
Kalember said criminals have also used more sophisticated campaigns to target Canadians, using specific information about their targets that has been accumulated through many years of database breaches.
“Every single one of us has our email credentials tied up with all of these huge breaches that we hear about.”
That means hackers have many examples of how companies send internal messages, which people are in a position of authority, and even a record of old passwords that provide clues to new passwords, he said.
“And the longer that somebody has worked at an organization, the more predictable their password is likely to be,” Kalember said.
As a result, that has created a different type of email vulnerability for companies that build their business communications around a cloud-based system such as Microsoft Office 365 or Google Docs.
Once fraudsters have figured out a key person’s password, they can wreak havoc on a company by impersonating a supervisor and instructing a staff member to redirect the payroll or other payments to a different account.
“If a fraud actor can successfully empty that bank account, it can be quite catastrophic. And we’ve seen this quite regularly,” Kalember said.
Kalember said many times the criminal campaigns are unreported, so it’s difficult to quantify their frequency.
“That said, the attackers all measure this extremely carefully and the fact that they’re doing more of it is a clear indication that it is working — at least in some fashion.”
A Canada Post media representative said in an email that “unfortunately, malicious phishing emails circulate from time to time” and pointed to Canadapost.ca for advice on how to detect phishing emails and avoid falling for them.
“When Canada Post makes a delivery attempt, we leave a delivery notice card at your door or in your mailbox. We do not contact you by email unless you have requested it,” the website says.
The postal service also recommends that customers delete suspicious emails containing a link or file and report suspicious email to the Canadian Anti-Fraud Centre or Canada Post customer service.
David Paddon, The Canadian Press