Conversation hijacking is a clever combination of phishing and social engineering, and it can be devastating for businesses. Many victims of conversation hijacking don’t know that they’ve been scammed until it's too late.
What is conversation hijacking?
Conversation hijacking is a phishing technique where a scammer inserts themselves into a pre-existing email conversation, or uses information that they’ve gathered to impersonate an email contact that is known to the victim. The scammer usually pretends to be someone with authority; the director of a company, a previous client or customer, or even just a senior member of staff.
How does the scam work?
Initially, a scammer gains access to an email account. This might be through a compromised network, a malware infected link or by hacking the account. A scammer doesn’t need to have access to the email for long; just long enough to run a program which makes a copy of all the information in the account. They then use this information to identify which senders and recipients they should impersonate, as well as gathering data about the business or organisation.
Then, using their own computer program, they can send an email or insert themselves into an email thread as the manager, director or customer. They might establish rapport with the victim by sending a few emails back and forth, until eventually requesting a payment is sent to a specific account. They might also introduce a time constraint, telling the employee that the payment must be sent within a short time frame. The victim complies, and the scammer can repeat the process until the fraudulent payments are discovered.
The biggest security flaw in your organisation: people
Conversation hijacking makes the safe assumption that employees aren’t likely to challenge an important customer, or someone above them in the business hierarchy. A member of staff who receives an email request from their manager or a client is likely to follow given instructions quickly, and without asking too many questions.
This is called social engineering; the trust that employees have is exploited by the scammer. Social engineering capitalises on predictable human responses; for example, allowing someone in a high vis vest access to a building, or checking an abandoned USB stick by inserting it into a computer. Scams like conversation hijacking prey on the good intentions, trust and respect of employees, which makes them incredibly effective.
Stop conversation hijacking by changing your workplace
With conversation hijacking, it isn’t enough to encourage staff to check the email address of the sender before approving payments; remember, the email address will match the boss’, client’s or customer’s. To combat this kind of scam, there needs to be a shift in workplace culture.
Primarily, ensure that your business has a clear process when it comes to approving payments that is adhered to every time. You might decide that payments have to be approved by a certain person or multiple people, that each payment has to be recorded against a pre-existing ticket, or payments above a certain amount need to be authorised verbally by management. These guidelines can help prevent fraudulent payments.
Businesses should also normalise employees checking in with managers and supervisors. By creating a workplace where asking questions is commonplace, regardless of where you are in the company hierarchy, there is far less potential for fraudulent payments to be verified.
Creating a security-conscious business
Finally, training and educating your employees about conversation hijacking and other kinds of phishing scams is key. U-secure is cyber security training software, which consists of ten minute training courses and quizzes to educate staff about phishing scams just like conversion hijacking.
The short courses are emailed to your staff, and the results recorded for your organisation. This means that businesses have a clear snapshot of how security-conscious their employees are, and who needs help or further training.
As a U-secure partner, Transcendit offers a 30-minute demo of the program to help you decide whether it could be beneficial to your business.
Curious about U-secure? Give us a call on 0191 482 0444