In a recent report, the Federal Bureau of Investigation warned that a type of spear phishing attack known as “CEO email scams” is on the rise. In those kinds of attacks, the perpetrator usually assumes the identity of someone in a position of authority and sends email requests for privileged information or the transfer of assets outside the company. It’s not a new tactic, but it is one that is becoming increasingly popular; according to the FBI, businesses have racked up more than $2.3 billion in losses to targeted phishing attacks since 2013.
The main challenge is that these fraudulent emails look legitimate at first glance. They target employees in human resources, legal, accounting, finance, and other departments with seemingly urgent and innocent requests for W2 records, wire transfers, invoices, company credit card information, employees’ personal information, and more. With fairly believable asks being made by a sender that appears to be an executive or an outside service provider who would naturally want that information, employees end up cooperating and unwittingly put the company at risk.
The best thing that a company can do to help prevent becoming the victim of this kind of an attack is to educate employees.
Often times, spear phishing attacks prey on the fact that employees want to please their boss and other people who may be perceived to be in positions of authority. The fear of not responding quickly enough to an executive or the pleasant notion of a pat on the back from a superior can cloud employees’ judgment and prevent them from raising concerns and asking the right questions when faced with a suspect email request. Additionally, many employees simply aren’t aware of the most recent security threats and as a result, don’t focus on remaining vigilant and critical.
Given that the CFO’s team is typically responsible for cash disbursements as well as payroll and sometimes sensitive HR information, it typically has an opportunity and an obligation to educate staffers about these threats and put the necessary controls in place to prevent spear phishing attacks from being successful.
Here are four things CFOs can do to address spear phishing threats to their organizations:
The nature of spear phishing attacks will continue to evolve. If a CFO has not yet addressed spear phishing threats in their organization, I strongly suggest they do so right away, as it is only a matter of time before the organization is targeted.
Richard Barber is chief financial officer at WatchGuard Technologies. Throughout the past 15 years, he has served in executive-level finance roles for both public and private companies in the software, hardware, and high technology industries.