In a recent report, the Federal Bureau of Investigation warned that a type of spear phishing attack known as “CEO email scams” is on the rise. In those kinds of attacks, the perpetrator usually assumes the identity of someone in a position of authority and sends email requests for privileged information or the transfer of assets outside the company. It’s not a new tactic, but it is one that is becoming increasingly popular; according to the FBI, businesses have racked up more than $2.3 billion in losses to targeted phishing attacks since 2013.

The main challenge is that these fraudulent emails look legitimate at first glance. They target employees in human resources, legal, accounting, finance, and other departments with seemingly urgent and innocent requests for W2 records, wire transfers, invoices, company credit card information, employees’ personal information, and more. With fairly believable asks being made by a sender that appears to be an executive or an outside service provider who would naturally want that information, employees end up cooperating and unwittingly put the company at risk.

Rich Barber

Rich Barber

The best thing that a company can do to help prevent becoming the victim of this kind of an attack is to educate employees.

Telltale Signs of Spear Phishing

  1. The greeting seems off – If the sender typically refers to the recipient as “Andy,” but the email opens with, “Hello Andrew,” this would be an immediate red flag.
  2. The tone is abnormal – Overly formalized wording, international spelling differences, or frequent typos that seem out of character are all strong indicators that something isn’t right. If the voice or tone of the email seems out of place, recipients should think twice.
  3. It’s an unusual request – If the CEO has never requested a wire transfer be made to a vendor before, this should pique some skepticism on the part of the email recipient.
  4. There’s an inconsistency in the typical chain of command – For example, if the CEO does not request payroll information from the payroll manager and instead typically goes through the controller, the payroll manager should be suspicious about a request that is purported to be from the CEO.

Often times, spear phishing attacks prey on the fact that employees want to please their boss and other people who may be perceived to be in positions of authority. The fear of not responding quickly enough to an executive or the pleasant notion of a pat on the back from a superior can cloud employees’ judgment and prevent them from raising concerns and asking the right questions when faced with a suspect email request. Additionally, many employees simply aren’t aware of the most recent security threats and as a result, don’t focus on remaining vigilant and critical.

An Ounce of Prevention

Given that the CFO’s team is typically responsible for cash disbursements as well as payroll and sometimes sensitive HR information, it typically has an opportunity and an obligation to educate staffers about these threats and put the necessary controls in place to prevent spear phishing attacks from being successful.

Here are four things CFOs can do to address spear phishing threats to their organizations:

  1. Alert and educate employees. Awareness is one of the best protections against spear phishing. Regularly send notifications to staff members, especially those in HR, accounting, finance, legal, and other departments that have access to the information the bad guys would want. Explaining how spear phishing scams might target each respective department will give employees a better understanding of what’s at stake and how to keep an eye out for red flags.
  2. Be aware of the latest spear phishing tactics. Staying up to date on this information will help a CFO figure out whether his or her company would be susceptible to new schemes. If the CFO feels the organization is exposed, they should go back to #1 and ensure employees are aware of new and developing dangers.
  3. Establish a safe culture for skepticism. Questions should be praised, not punished. Work on building an atmosphere in which employees feel comfortable and confident in questioning requests for sensitive information – even from higher-ups. Employees who aren’t afraid to question their superiors or bring up their suspicions are less likely to remain silent and fall victim to spear phishers.
  4. Set up preventive controls with spear phishing in mind. Establish processes that would make it impossible for an employee to act based only on a single email, even if it’s from someone who appears to be an executive. For example, require dual authorizations or require emailed requests to be followed up with an oral confirmation.

The nature of spear phishing attacks will continue to evolve. If a CFO has not yet addressed spear phishing threats in their organization, I strongly suggest they do so right away, as it is only a matter of time before the organization is targeted.

Richard Barber is chief financial officer at WatchGuard Technologies. Throughout the past 15 years, he has served in executive-level finance roles for both public and private companies in the software, hardware, and high technology industries. 

, , , , ,

2 responses to “Modern Spear Phishing is a Security Wake-Up Call”

  1. With all due respect, the advice in this article misses the correct technical solution and instead suggests training people which is proven to be ineffective (at best a 10% impact). To eliminate these types of “impersonation attacks” – where the sender pretends to be the CEO/CFO/etc, the company should adopt DMARC (email authentication). This eliminates impersonation attacks 100%. What this article seems to suggest is similar to saying that instead of using Watchguard’s firewalls, people should instead manually cull through incoming connections to figure out what is good/bad – clearly a bad idea. 😉

    • DMARC, DKIM, and SPF don’t prevent spear phishing. How do I know? Because I’ve implemented them. We still get spear phishes incoming at regular intervals.

      The senders use email addresses that are one character off the “real” address, and “friendly names” identical to the ones used by the CFO and CEO.

      Since our organization STUPIDLY uses an abomination called Microsoft Outlook, which elides email addresses in favor of “friendly names”, this is invisible to end users. Even if they hover over the friendly name, they are not necessarily going to notice a one-character difference in address, unless they’ve been specifically trained to do so.

      Only attention to detail stops spear phishing. Training helps create that.

Leave a Reply

Your email address will not be published. Required fields are marked *