In a recent report, the Federal Bureau of Investigation warned that a type of spear phishing attack known as “CEO email scams” is on the rise. In those kinds of attacks, the perpetrator usually assumes the identity of someone in a position of authority and sends email requests for privileged information or the transfer of assets outside the company. It’s not a new tactic, but it is one that is becoming increasingly popular; according to the FBI, businesses have racked up more than $2.3 billion in losses to targeted phishing attacks since 2013.
The main challenge is that these fraudulent emails look legitimate at first glance. They target employees in human resources, legal, accounting, finance, and other departments with seemingly urgent and innocent requests for W2 records, wire transfers, invoices, company credit card information, employees’ personal information, and more. With fairly believable asks being made by a sender that appears to be an executive or an outside service provider who would naturally want that information, employees end up cooperating and unwittingly put the company at risk.
The best thing that a company can do to help prevent becoming the victim of this kind of an attack is to educate employees.
Telltale Signs of Spear Phishing
- The greeting seems off – If the sender typically refers to the recipient as “Andy,” but the email opens with, “Hello Andrew,” this would be an immediate red flag.
- The tone is abnormal – Overly formalized wording, international spelling differences, or frequent typos that seem out of character are all strong indicators that something isn’t right. If the voice or tone of the email seems out of place, recipients should think twice.
- It’s an unusual request – If the CEO has never requested a wire transfer be made to a vendor before, this should pique some skepticism on the part of the email recipient.
- There’s an inconsistency in the typical chain of command – For example, if the CEO does not request payroll information from the payroll manager and instead typically goes through the controller, the payroll manager should be suspicious about a request that is purported to be from the CEO.
Often times, spear phishing attacks prey on the fact that employees want to please their boss and other people who may be perceived to be in positions of authority. The fear of not responding quickly enough to an executive or the pleasant notion of a pat on the back from a superior can cloud employees’ judgment and prevent them from raising concerns and asking the right questions when faced with a suspect email request. Additionally, many employees simply aren’t aware of the most recent security threats and as a result, don’t focus on remaining vigilant and critical.
An Ounce of Prevention
Given that the CFO’s team is typically responsible for cash disbursements as well as payroll and sometimes sensitive HR information, it typically has an opportunity and an obligation to educate staffers about these threats and put the necessary controls in place to prevent spear phishing attacks from being successful.
Here are four things CFOs can do to address spear phishing threats to their organizations:
- Alert and educate employees. Awareness is one of the best protections against spear phishing. Regularly send notifications to staff members, especially those in HR, accounting, finance, legal, and other departments that have access to the information the bad guys would want. Explaining how spear phishing scams might target each respective department will give employees a better understanding of what’s at stake and how to keep an eye out for red flags.
- Be aware of the latest spear phishing tactics. Staying up to date on this information will help a CFO figure out whether his or her company would be susceptible to new schemes. If the CFO feels the organization is exposed, they should go back to #1 and ensure employees are aware of new and developing dangers.
- Establish a safe culture for skepticism. Questions should be praised, not punished. Work on building an atmosphere in which employees feel comfortable and confident in questioning requests for sensitive information – even from higher-ups. Employees who aren’t afraid to question their superiors or bring up their suspicions are less likely to remain silent and fall victim to spear phishers.
- Set up preventive controls with spear phishing in mind. Establish processes that would make it impossible for an employee to act based only on a single email, even if it’s from someone who appears to be an executive. For example, require dual authorizations or require emailed requests to be followed up with an oral confirmation.
The nature of spear phishing attacks will continue to evolve. If a CFO has not yet addressed spear phishing threats in their organization, I strongly suggest they do so right away, as it is only a matter of time before the organization is targeted.
Richard Barber is chief financial officer at WatchGuard Technologies. Throughout the past 15 years, he has served in executive-level finance roles for both public and private companies in the software, hardware, and high technology industries.