Phishing for Energy Contracts – Scam Alert

A 2020 phishing benchmark report claims that 19.8% of employees click phishing email links, and an updated statistics report by tessian.com told us that in 2020, 75% of organisations around the world experienced some form of phishing attack in the previous year; another 35% experienced spear phishing and 65% faced BEC attacks. This, though, does not mean that each attack was successful. In the United States, 74% of phishing attacks on business organisations are successful.

Here at Energy Solutions, we want to give you the best information to avoid all types of scams and phishing, in order to keep you safe, whether on behalf of your utilities or your business.

So first, what is Phishing?

Phishing is the term used to describe a type of social strategy co-opted by scammers with the intention of stealing information and user data from businesses or customers, including login credentials and credit card details. Often, these scammers are falsely claiming to be the company you are already in contact with, and may reach you through a variety of emails, texts or phone calls.

Oil and gas companies, producers, nuclear power companies and electrical grid operations are among the most targeted groups of such attacks. These attacks have strategies through phishing emails that are found at the weakest point of security in many of these organizations security: their own staff.

Why do people do it?

Agari reported the annual cost of cyber attacks at 17.84million per utility company in 2018, a 17% jump from the previous year. At best, an energy company may see an average loss to rise to 13.77million dollars, though this nowhere close to the total damage that could be done by such attacks — Government and cyber security company investigations have shown that the state sponsored attackers have spent years phishing for nuclear reactor technology, login credentials for power plant control engineers, and a menu of other highly sensitive data. Not only could gaining this information risk the organizations themselves, but homes and businesses within the communities that they serve.

Unfortunately this is more than just fear, as we already know that phishers have successfully bypassed security protocol in the past, and that a 2017 report even found that a group of threat actors had succeeded in accessing UK and European Energy companies, gaining “hands on access to power grid operations”,  said Wired. This meant that they had the ability to shut down the lights that these power organizations operated. We do not know why they didn’t do this, but analysts claim concern that these attackers are waiting for the right moment to exploit their power, whether for amusement or in the time of international turmoil.

In some cases, hackers across the world may look for information to give them the upper hand in any future disputes between countries. This is a perfect example for what we know of hackers linked to Russia and Iran.

In 2018, an Aon report explains the concerns following an attack on a hydroelectric dam contractor. Ten days following the stealing of employee information and gaining access to the dams control network, it is known that attackers had the ability to open the dams floodgates all at once, which would cause catastrophic flooding.

On a more personal level, scammers may look to retain information such as usernames and passwords to the likes of your bank account or national identity information, to take money from you or clone your identity through the likes of a drivers license or ID.

How do scammers do it?

Scammers often use well-timed emails messages that appear to be sent by a known, trusted source. Older email gateways still used by some business organizations such as SEGs and first generation advanced threat protection (ATP) products are not designed to filter out these advanced email attacks, and as a result, employees are left to make the decision as to how they will react to an email that they may not understand as dangerous. After all, this may be seen as coming from a source that they have ongoing contact with.

Phishers do their homework; they know what types of emails you are expected to get and when. For example, your monthly gas statement comes to your email on the third month of every year, or your phone bill may come to you on the first Monday of each month. By using Google to find names, locations and basic information, it is easy for a phishing expert to gather information about what is important to you, for example, whether you have children or have recently moved home, whether you have recently been considering the options for pet insurance. You will then receive an email about something that they are aware directly interests you, and may even offer a near impossible low price. Surprisingly, this is because it is.

It is also common for those contacting you to pretend to be a senior authority at the business contacting you, making the interaction seem more personal and often more urgent. If an email is signed on behalf of a CEO or familiar name, you are more likely to be encouraged to follow links and hand over your information.

The reported cases of phishing are as high as they are for a reason, and may even lead to you losing access to your own personal information that has been stolen. For example, if your banks login details were recently changed by the attacker, is it going to be a lot more difficult for you to cancel the account, and the transactions going into it.

They work on not only trickery and carelessness, but also curiosity via offering information you do not know, for example, breaking news about the company you work for or flashy headlines about celebrities recent gossip, if this is something you often view on other sites.

How can I protect myself from Phishing?

Use up to date programmes at all times — Modern email security solutions consider the danger of an incoming email based on the past behaviour of the sender and a host of other signals to identify whether or not the messages you receive are authentic and trustworthy.

EDF Energy released this video to focus on a number of ways one may be able to avoid phishing, such as verifying the communication is genuine before you reply; this can be done by accessing a companies website to consider what emails addresses will be used to contact you, alongside looking through your correspondence with them in the past.

If you are still unsure, call your business provider directly and ask them about it. You can also ask colleagues if they received similar emails, and what they did.

Urgency is a common trope within phishing emails, encouraging you to give over your information immediately with threat of the result; what if you do not receive this months wage? Or your electricity is cut off for a week? Spear phishers often use tight deadlines to distract you from the flaws that may be in the message and make your response feel urgent. In most cases, you should always have the opportunity to receive more than one email about a problem in order to deal with it in the best way possible.

Lastly, report it. If you are at all concerned about an email you have received, there are a number of entities in place to do the work for you. You can report anything suspicious to Action Fraud, the National Fraud and Cyber Crime reporting centre by calling on 0300 123 2040, or submitting the form on their website.

EDF Energy also encourage looking into the Take Five and Cyber Aware campaigns, who offer more practical advice on their websites.

For more information about this post and how Energy Solutions can help with your Electricity, Gas, or Water, click on the links, or check out the contact details at the bottom of the page.