People continue to fall for email phishing scams with alarming regularity; in fact, 97% of respondents in a recent survey could not correctly identify one. However, most people are at least aware of email phishing, and internal company simulations and other phishing prevention software are helping to eliminate some incidents. Because of this, hackers are always looking to evolve their attack methods. Today, the newest way they’re claiming phishing victims is by weaponizing Slack, the slick communication platform that’s now valued at over $5 billion.
Slack Phishing Attacks: How They Work
Slack is a cloud-based team collaboration service similar to the instant messaging most people are familiar with. Unlike those apps, however, Slack allows people to communicate and send images and links to one another through channels that can be organized by team, topics, project, or whatever makes the most sense for each company.
If Slack is designed for internal teams, then, how are hackers infiltrating it? Because it functions within a public cloud. So, hackers are always looking for holes and other vulnerabilities. In the past, they would attempt to access Slack’s database to steal passwords and other information. But Slack upped their security, using multi-factor authentication and installing a team-wide password kill switch. In response, hackers have begun initiating Slack phishing scams. It’s rather genius, because most people associate phishing with email only. So, once a hacker gets in, it’s easy for them to dupe others within the channel.
Example of Recent Slack Phishing Attacks
The majority of Slack phishing scams are sent through direct message or a Slackbot reminder. These attacks were recently carried out across a number of blockchain and cryptocurrency companies. In 2017 alone, cybercriminals have made $225 million off these communities, with half of this amount being stolen through phishing attacks affecting more than 30,000 individuals. A number of these Slack attacks involved a malicious actor sending reminders through a Slackbot posing as MyEtherWallet (MEW), a site for storing, sending, and receiving digital currency. The bot included a bogus link that, once clicked, gave hackers access to the victim’s MEW wallet where they were able to steal Basic Attention Tokens, or BATs.
“We are aware that open community teams related to cryptocurrency were targeted with deceptive spam messages,” said Slack’s public relations team. “Several of the affected teams have since disabled or deleted access to the offending user accounts. Online scams targeting open communities can be pervasive and we encourage team admins and members to be vigilant, and to review and enforce basic security measures.”
Without further action from Slack, however, is it really reasonable to expect teams to be vigilant on an application that they inherently trust—especially when they’re already being tasked with eyeballing their emails so closely?
How You Can Keep Slack Phish-Free
Phishing is no longer just an email security problem, it’s a communication security problem—and it’s growing. Conversations between users on Reddit offer an enlightening look at people’s issues with Slack phishing attacks, with one person stating they’ve been receiving phishing scams for months. So, to ensure the safety of your employees and your data, adopting a communication security platform is critical.
Clearedin anti-phishing solutions protect from phishing emails by red-flagging suspicious senders with a phishing alert; it disarms and locks the email so it cannot be replied to or forwarded until the recipient reviews why it has been flagged and determines whether it’s safe. Clearedin also keeps Slack safe by monitoring social circles and marking whether a new user to a channel can be trusted after getting permissions from the community admin. In addition, Clearedin automatically deletes phishing links sent through direct message or Slackbots; that’s one less interruption to your employees’ day.