Thomas Cook and the problem with phishing

Last week, the world’s oldest travel agent, Thomas Cook, collapsed, leaving around 150,000 holidaymakers stranded. But the demise of one of the UK high street’s best-known brands didn’t just end up costing the government, which had to foot the bill for repatriation. It resulted in another opportunistic phishing campaign of the sort that often follow major news events.

In this case, reports soon emerged of consumers targeted with phone calls and emails purporting to come from ‘refund agents’ who just needed their bank/card details in order to reimburse them for their holiday. I spoke to some security experts to find out how far brands are exposed to such campaigns, and what they can do about it. The consensus is that communication with customers is key.

“Organisations and users are at their weakest, post-incident, when it comes to fraud. As we’ve seen time and time again, hackers almost immediately distribute phishing attempts to try and capitalise on an incident,” Proofpoint cybersecurity strategist, Adenike Cosgrove, told me by email. “The repercussions are huge: it will affect customers as well as financial institutions dealing with the aftermath, as their contact centres are inundated with calls from concerned consumers.”

The primary impact of such scams is on customer confidence and trust in the brands they do business with, according to Gemma Moore, director at security consultancy Cyberis. However, they’re almost impossible to stop, she told me.

“What brands can do is manage their customer communications closely and ensure that their customers are well-briefed about how the brand will communicate with them and under what circumstances,” Moore continued.

“Brands can work to educate their customers to treat communications with a sceptical eye. Many banks, for example, regularly remind their customers that they will never contact them asking for sensitive information like card details by email or telephone. Ultimately, vigilance is the best defence for people who are targeted in this way and brands can help this by maintaining clarity.”

Banks add confusion

So, organisations need not only to have a clear communications strategy but also to remind customers what this is, so that any phishing attempts that deviate from the norm will be easier to spot. With the Thomas Cook incident, however, UK banks added to the confusion by texting their customers with messages containing links and phone numbers to call. Some recipients understandably believed these to also be phishing attempts, especially as some claimed not to have even bought a holiday with Thomas Cook recently.

Once again, transparency and consistency is key to keeping customers safe.

“How the banks communicate is key. There is an argument that they should not use text messages as SMS phishing is rife and would potentially confuse consumers,” said Cosgrove.

Brands must not only try to mitigate the impact of attacks on consumers, of course, but also attempts to phish their employees, which could lead to serious data breaches, ransomware infection or other threats. At the same time, and backed by a global cybercrime economy built on stolen data and dark web sites, cyber-criminals are constantly evolving their tools and tactics to trick both employees and consumers.

One technique gaining in popularity is “angler” phishing, where fraudsters set up Twitter accounts masquerading as brands’ customer service operations. They monitor complaints from customers and then jump in to hijack the conversation, often requesting additional personal info and financial details from the victim.

“Another key trend we are seeing is an increase in domain fraud, where criminals leverage domains to target a known brand or company by sending phishing campaigns that look like genuine communication,” Cosgrove explained.

“Recent research shows that 96% of organisations found ‘lookalike’ domains posing as their brand, with registrations of fraudulent domains growing by 11% last year.”

This is where brand and domain monitoring services could come in handy, although as with any cyber-threat, defence-in-depth is recommended. Phishing campaigns are relatively easy to launch and have a decent success rate, so don’t expect any major change in tactics anytime soon. Ultimately all organisations can do is educate their customers about the dangers, create clear, careful communications policies, and closely monitor abuse of their brands and domains online.