LBMC Technology Solutions’ network administration clients have reported being targeted, so we are continuing to create awareness and educate people about how to spot the scam and what to do about it.
What does this threat look like?
In this type of attack, the perpetrator usually assumes the identity of someone in a position of authority in the organization and sends email requests for privileged information or the transfer of assets outside the company. This is not a new tactic, but it is one that is becoming increasingly popular due to its success (for the scammer, that is).
In fact, according to the FBI, businesses have accumulated more than $2.3 billion in losses to targeted phishing attacks in three years.
The emails target employees in human resources, legal, accounting, finance, and other departments with urgent and seemingly innocent requests for W2 records, wire transfers, invoices, company credit card information, employees’ personal information, and more. With the request seemingly coming from an executive or an outside service provider who would naturally want that information, employees cooperate and unwittingly put the company at risk.
The main challenge is that these fraudulent emails look legitimate at first glance. The best thing that a company can do to help prevent becoming the victim of this kind of attack is to educate employees on the small oddities that can indicate a scam.
Telltale Signs of Spear Phishing
- The greeting seems off – If the sender typically refers to the recipient as “Andy,” but the email opens with, “Hello Andrew,” this should raise an immediate suspicion.
- The tone is abnormal – Overly formalized wording, international spelling differences, or frequent typos are strong indicators that something is amiss. If the voice or tone of the email seems out of place, recipients should think twice.
- It’s an unusual request – If the CEO has never requested a wire transfer to be made to a vendor before, this should pique some skepticism on the part of the email recipient.
- There’s an inconsistency in the typical chain of command – For example, if the CEO does not request payroll information from the payroll manager and instead typically goes through the controller, the payroll manager should be suspicious about a request that is purported to be from the CEO.
Often times, spear phishing attacks prey on the fact that employees want to please their boss and other people who may be perceived to be in positions of authority. The fear of not responding quickly enough or even the thought of a pat on the back from a superior can cloud employees’ judgment. Additionally, many employees simply aren’t aware of the most recent security threats and as a result, don’t focus on remaining vigilant and critical.
Prevention is the Key
Since little can be done in most cases once the money or information is released, prevention is the strongest defense against this scam.
Given that the CFO’s team is typically responsible for cash disbursements as well as payroll and sometimes sensitive HR information, this group typically has an opportunity and an obligation to educate staffers about these threats and to put the necessary controls in place to prevent spear phishing attacks from being successful.
Here are four things CFOs can do to address spear phishing threats to their organizations:
- Alert and educate employees. Awareness is one of the best protections against spear phishing. Regularly send notifications to staff members, especially those in HR, accounting, finance, legal, and other departments that have access to the information the bad guys would want. Explaining how these scams might target each respective department will give employees a better understanding of what’s at stake and how to keep an eye out for red flags.
- Be aware of the latest spear phishing tactics. Staying up to date on this information will help a CFO figure out whether his or her company would be susceptible to new schemes. If the CFO feels the organization is exposed, they should go back to #1 and ensure employees are aware of new and developing dangers.
- Establish a safe culture for skepticism. Questions should be praised, not punished. Work on building an atmosphere in which employees feel comfortable and confident in questioning requests for sensitive information – even from higher-ups. Employees who aren’t afraid to question their superiors or bring up their suspicions are less likely to remain silent and fall victim to spear phishers.
- Set up preventive controls with spear phishing in mind. Establish processes that would make it impossible for an employee to act based only on a single email, even if it’s from someone who appears to be an executive. For example, require dual authorizations or require emailed requests to be followed up with an oral confirmation.
The nature of spear phishing attacks will continue to evolve. CFOs must stay vigilant, educate the staff, and put protective processes in place. It is only a matter of time before the organization is targeted.
Richard Barber is chief financial officer at WatchGuard Technologies. For more than 15 years, he has served in executive-level finance roles for both public and private companies in the software, hardware, and high technology industries.
Click here to read the original article.