On May 8, Amazon announced that it had become the victim of an “extensive” fraud in which unidentified hackers siphoned funds from merchant accounts on the platform over a period of six months. The company believes that it was the victim of a serious cyberattack, and that the attackers compromised around 100 accounts.
The motive? As is the case with most attacks of this kind, money. As Amazon explains, it is very likely that the accounts were compromised using phishing techniques that tricked the vendors into giving away their login details. With this information, the hackers managed to change the bank details on the Seller Central platform, diverting the money earned by the sellers into the criminal’s accounts, according to the legal documents presented in the UK.
One of the main problems? The long period of time that these accounts were compromised without anyone realizing. The theft took place between May and November last year. The fact that the cybercriminals were able to act over such a long period of time is indicative of the need to close the detection gap — that is, the time between a cybercriminal action starting and it being detected.
Amazon has asked Barclays for access to information about the accounts to which it believes that the cybercriminals sent the stolen money. These documents are necessary in order to “to investigate the fraud, identify and pursue the wrongdoers, locate the whereabouts of misappropriated funds, bring the fraud to an end and deter future wrongdoing.”
Phishing: a highly efficient criminal tactic
A fraud of such dimensions affecting the largest online platform in the world serves to highlight the scope of phishing, as well as the effects that it can have, even on the most well-known companies.
Phishing is a cybercriminal tactic that has been around ever since email was invented, and the number of victims grows every year: in 2017, 76% of companies in the world experienced a phishing attack; in 2018, it was 83%. According to Verizon, 93% of data breaches start with a phishing attack, and 95% of all cyberattacks on corporate networks stem from a phishing email. BEC (Business Email Compromise), a sophisticated, highly targeted type of phishing, cost companies in the US some $12 billion between 2013 and 2018.
The importance of money in these attacks is clear when we consider the fact that six of the ten most effective phishing campaigns last year used the word “invoice” as a subject, while the other four campaigns in the top ten used terms such as “payment remittance” or “payment”.
It is vital to know how to tackle these kinds of attacks and incidents. And the first step is to make sure that employees are aware of this attack, and that they know how to identify phishing emails. Some of the key indicators that you’re dealing with a phishing attempt are:
- A domain name used by the sender that doesn’t entirely coincide with the normal email address.
- Spelling and grammar mistakes.
- A different language to that normally used in communications.
So that the whole company can recognize these emails, and to ensure that everyone knows what to do when they receive one, it is a good idea to carry out phishing drills.
Another key is prudence. It is important that employees don’t open any attachment until they know for sure that the email is from a known sender, and that the file is safe.
Even if an email doesn’t have any of the “classic” indications of phishing, but still arouses suspicions, it is always best to double check its contents, especially if it is about bank transfers.
Finally, as can be said of most cybersecurity problems, the risks related to being attacked over email can be avoided with a combination of human and technological factors: common sense and employee training in order to acquire experience and prevent and detect attacks, along with the use of advanced cybersecurity platforms that have the capacity to warn of any dangers that we may have overlooked.