You or your CFO receive an email offering business capital at attractive interest rates. The company that sent you the offer has provided an application for the loan using the legitimate document presentation platform, DocuSign. Everything looks legit, and it is. No fake web pages or near-miss web addresses. But this is the latest in “no malware” phishing scams.
Filling out the form will give the attacker all the information they need to steal the corporate financial identity of the company. The last request for the last three months of bank statements would allow the attacker to empty your ban accounts as well.
This type of attack is almost impossible to identify, because the component parts are riding on a legitimate web service, in this case, DocuSign. If you or an employee were to apply for this “loan” your small business could be in a world of hurt
If you are interested in seeing actual screen shots of this exploit, please click through to the KnowBe4 website by clicking on the link below. Defending against an exploit like this one is tough, but once again, if it sounds too good to be true, it probably is. Any requests for money, whether wire transfer, presentation of an invoice, or an offer for funding needs to be verified before the transaction becomes irreversible. Cybersecurity awareness training can be one effective way to teach employees what sort of scams to look for.
More information
Share
FEB
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com