Spear phishing has become great sport for cyber criminals. It offers a simple but highly effective cyber attack vector that takes advantage of the most vulnerable of prey – humans!
Unlike regular phishing emails, which are sent out in great numbers to victims who have no relationship to each other, spear phishing emails are highly targeted and sent to only a few select victims at a specific organization; for example, select employees working in a particular department at a particular company.
The Federal Bureau of Investigation warned of a dramatic rise of a form of spear phishing known as a “business email compromise” or “CEO imposter” scam. Hackers send emails posing as a company executive – often, a CEO – and ask users to provide sensitive information or initiate wire transfers. The number of victims of CEO phishing scams has risen by 270% since January 2015, totaling $2.3 billion in losses to 17,642 organizations.
In some cases, the hackers first phish the targeted CEOs themselves, tricking them into providing their login credentials so that the hackers can send emails directly from their inbox – and possibly use the same credentials to log in to other company systems. In others, hackers send emails from spoofed mailboxes with domains that are very similar to the company’s domain; instead of abccompany.com, the reply-to address may be abcc0mpany.com or abccompany.co. CEO phishers perform research before launching their attack; hackers examine the target company’s website and social media networks and learn about the company’s employees, their positions and responsibilities within the company, even their personal interests and hobbies – anything that they could use to make the phishing email look more genuine.
CEO phishing scams have targeted for-profit businesses and non-profit organizations of all sizes and in all industries, including the Milwaukee Bucks NBA franchise, toy manufacturer Mattel and hospital chains.
5 Ways to Prevent CEO Spear Phishing
Organizations cannot depend on email spam filters to prevent CEO phishing. While spam filters intercept most regular phishing emails, CEO imposter emails often bypass them because only a few emails are sent at a time, and they do not contain wording that spam filters pick up on (like “porn”). Hackers take time to make them look like legitimate business correspondence.
Like regular phishing, spear phishing, including CEO phishing, takes advantage of human vulnerabilities. Organizations can mitigate these vulnerabilities and prevent attacks by doing the following:
1. Train Employees to Recognize the Telltale Signs of Phishing Emails
Although CEO phishers go to great lengths to make their emails look legitimate, many attacks originate overseas, with the emails composed by hackers who are not fluent in English. As a result, the email may use British spelling, contain punctuation, spelling, or grammar errors, or be worded oddly. The salutation or the closing may also be off; an employee of Main Line Health noticed the fraud because the fake email was signed “John Lynch” – and the employee knew that Mr. Lynch went by “Jack.” Employees should also be trained to proofread reply-to addresses and look out for spoofed domains that are only slightly different from the company’s actual domain.
2. Establish Strict Protocols for Wire Transfers, Payments, and the Release of Sensitive Information
The Mattel loss occurred because wire transfers required only the approval of two high-level managers – of which the targeted finance employee was one, and the CEO was the other. The FTC recommends implementing a payment system that requires a purchase order that is approved by both a manager and a finance officer; a multi-person approval process for transactions exceeding a certain dollar amount; and phone verification of all fund transfer requests and any changes to vendor payment information. Likewise, the release of employee W-2 data and other sensitive information should be subject to the approval of multiple parties and a verification process that ensures the party requesting it has the legal right and a legitimate reason to access it. Further, company policy should prohibit highly sensitive information – whether bank account numbers or employee Social Security Numbers – from being transmitted via email.
3. Be Careful of What’s Posted on Company Websites and Social Media
Because CEO phishers scour company websites and social media networks for personal information on executives and employees – and information about the company’s activities, such as new clients and new markets – businesses should be cautious about what they post publicly on the web. Likewise, organizations should educate their employees on the dangers of posting too much information on their personal sites, as a hacker looking to launch a CEO phishing attack may examine employees’ personal social media feeds as well.
4. Conduct Regular Penetration Testing
Organizations should have their internal security staff – or enlist the services of a managed security services provider (MSSP) – conduct regular penetration tests aimed specifically at social engineering techniques such as phishing. These tests involve “good guys” sending “phishing” emails to employees and executives to see if they click on them or report them. The results can be used for employee education and, if necessary, for restricting the system access of certain users.
5. Encourage Healthy Skepticism
One of the human vulnerabilities CEO phishers exploit is employee desire to please bosses – especially the CEO. Employees should be encouraged to ask questions about any requests that seem “off,” even if the request appears to have come from the CEO or another top executive. Establishing strict and specific authentication protocols helps with this; if employees know what the company’s protocol is, they are better able to recognize requests that do not appear to follow it. But, that will never work 100%, so organizations need endpoint protection in concert with content monitoring/filtering. Companies like Cyphort can monitor email traffic and correlate it with malicious URL detection and can block a user’s ability to even visit a site that may appear in their email system. Firewalls that utilize cloud based security analysis can also protect users when they click a URL contained in an email.
Most companies don’t enforce content filtering for remote workers or people utilizing their own equipment when accessing corporate resources. This is another new arena that companies are going to have to figure out how to tackle…ensuring that employees are protected even when they are on their own devices on their own networks.
Because technology is continually evolving, and hackers never stop looking for vulnerabilities that can be exploited, an organization’s cyber security efforts are never complete. Many organizations find they simply cannot handle all of their cyber security needs internally, which is why partnering with an MSSP is a wise investment. Managed security service providers live and breathe cyber security and can help organizations stay on top of the latest threats, including CEO phishing, by supplementing an organization’s existing staff or even providing a dedicated on-site security team.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.