These days, you can learn a lot about a person on the Internet. With so much information available online—via social media, industry and news publications, and corporate directories—it’s not all that difficult to determine where you work, your role at that company, and what kind of hobbies you have.
With this information being so easily accessible, it’s no wonder that it’s now being employed to target companies—at an increasingly alarming rate—to the tune of thousands of dollars in financial losses. This type of fraud, commonly referred to as “spear phishing,” takes advantage of seniority within a company to seek unauthorized access to confidential data, or in many cases, unauthorized access to company funds.
What does spear phishing look like?
Let’s say you work in your company’s accounting department, and your boss (or someone even higher up the corporate ladder) has just sent you an email to send a $30,000 wire transfer:
Hey John,
We’re moving forward on a new project, and I need to have you wire $30,000 to ABC Company. You’ll find their routing/account number below. Thanks for knocking this out! Also, congrats on the big win over the weekend. That quarterback of yours is a stud. Sic’em Bears!
That’s right. He congratulated you on your favorite football team’s big win. What a nice boss! So, you log into the bank’s website and initiate the wire transfer. Boom! Cross that off your to-do list.
The next day in a morning meeting, your boss asks you about the $30,000 debit showing in the account history. During your conversation, you quickly realize that he never actually sent an email to you. And, the funds are now long gone.
Email is an increasingly less reliable form of communication
In some instances, spear phishing makes use of email spoofing. Spoofing is an attempt to make an email appear as if it came from someone other than the true originator. I won’t get too into the details, but let’s just say that email spoofing isn’t all that hard to do.
And, spoofing gets even easier when it combines what’s called “social engineering.” For example, in the email John received from his boss (actually the spoofer), his boss congratulated him on his alma mater’s “big win over the weekend.” This personal touch adds to its perceived authenticity. But, anyone with an Internet browser or Facebook account could probably figure out where John went to school.
So, knowing that spoofing isn’t all that difficult to do, let’s think about it this way. If you’re a hacker, why waste your time installing keylogging malware on a computer and waiting to capture that individual’s username and password? The hacker can bypass all this trouble by having the employee carry out the bulk of the fraud. After all, the bank is used to John sending wire transfers from his IP address.
Adapting your employee education & internal procedures
No doubt, the Internet makes us more efficient in the way we conduct our business and interact with customers. But, the inter-connectivity and impersonal nature of online communications also makes companies susceptible to new types of crime.
Here are a few steps businesses should take to combat spear phishing:
Employee Training
Ensure employees have a high level of awareness of spear phishing and other cyber security threats. When employees receive emails requiring them to input sensitive information, click on links, or download files, have them ask the following questions:
- Who is the sender? Can the employee verify it definitely came from him/her and is it someone from whom they would expect to receive emails on this subject?
- Is the style of writing consistent with the sender’s style of writing? Does anything appear unusual about the tone, spelling or urgency of the email?
- Is the request out of the ordinary?
- Have other staff members received a similar email?
Internal Procedures
The best safeguard—especially when the communication involves financial transactions (such as wire transfers)—is to pick up the phone and give the email’s sender a call. If the sender is at lunch, wait to take action on the email until they’ve returned and you’ve had the chance to speak with them.
Incorporate call-back verification into your internal procedures, and make sure those procedures include not just employee-to-employee communications, but also resellers, distributors and vendors with whom you have a pre-existing corporate relationship.
In today’s world, protecting your company’s information requires constant attention and employee education. If you’d like to have additional cyber security tips sent to your inbox, I’d invite you to subscribe to our blog.
About the Author
Rusty Haferkamp is the chief information officer for Central National Bank. In his spare time, he enjoys being outdoors, hunting, fishing, and spending time with his wife and two young daughters.