Voiceover: Smith has been enjoying a late lunch in the office canteen, but there is work ahead of them still. They're on the lookout for physical documents they can exploit and, while walking the second floor, they find more than they were bargaining for: an open room full of filing cabinets. With a glance over their shoulder, they slip in. Smith quickly works their way through many useless documents until they find a new employee file. It turns out that there is a new recruit working on payroll, Jenny. Another file gives Smith all the information they could ever want about the financial director, including their name, address, phone number, staff number, email addresses, next of kin, emergency contact, and mother's maiden name. This could be used to reset their passwords. Smith leaves the filing area, into a breakout room. Spoofing the email address of the financial director is a piece of cake, and within a few minutes, Smith has sent a clone-phishing attack, a man-in-the-middle attack using their credentials, targeting Jenny, asking her to make a payment. Smith then follows this up by calling Jenny and pretending to be the financial director. Smith demands that Jenny makes the payment, claiming it's business critical. Jenny is new to the company and doesn't want to let the director down, so makes the payment. 

 

Mark: So, the hacker got unauthorised access into an open office. He's found a physical cabinet which has had a broken lock, which is-, unfortunately is a very common occurrence in some HR departments. He's got access to that HR department, he's found records relating to a financial person, a new person, he's got-, elicited that information from that, and he is obviously looking-, 'oh, she's in the finance department'. He's now of the mind that he's going to send an email within the company, so he's gonna do a clone-phishing email attempt, which is a man-in-the-middle type of attack, to her. So, he sends that email to the lady. And then, pausing at this little bit, he makes a phone call to her as well to add weight to this type of attack. Now, this is quite a common attack and this attack is happening more and more. Deepfake, a lot of people have probably heard of the application, which is where you can simulate someone's voice based on some of the words they say, and this has been used a lot in successful attacks of this type of nature because it sounds like it's the person that you're listening to has actually put-, reconstructed the words together to launch that attack. So, then, the payment is then authorised. And that's what's happened in this situation. 

 

So, this scenario, so the hacker has got unauthorised access. So, how can you prevent that? Back to training and awareness situations. So, we obviously talk about training and awareness. Clear-desk policies, obviously, would feature into this. We could do a penetration test to see if any assets are being left out. You know, people leaving papers on desks. Usually, you'll find people's passwords either stuck on the monitor or under the keyboard. Or, you find broken-, the cabinets or desks where you find quite interesting and sensitive information. So, I know-, I know that for a fact because my boss did that, left his information lying around. And people could easily, quite, find it. Very easy to do that. Obviously, a clear-desk policy would stop that happening and, obviously, making sure all the locks are working correctly. If they're not, then the data or the documents should not be left in that-, in that room. It should be moved to a more secure location to stop that type of attack happening in the first place. In terms of the phishing and the clone-phishing attack, that can only be through training and awareness. It's gonna be hard for people, but if they-, if they hear about it and learn, they may ask more questions which might defeat this type of attack in the first place.