Earlier this year, the CFO of a company I work with opened an urgent email from his boss, the CEO, who we’ll call Sally. The CEO was out on the golf course and forwarded a vendor inquiry to the CFO, who we’ll call Harry. In the message, the vendor asked Sally when it would receive payment for an overdue invoice. Sally had simply added a single line to the top of the message: “Why hasn’t this been paid? Let’s resolve ASAP.”
Harry found no record of the invoice in the company’s system but recognized the urgency in Sally’s note. These one-line emails were the hallmark of when she was angry and there was no worse time to get her upset than when she was out on the golf course. Harry rushed the invoice through the system and replied to Sally that the invoice was being paid immediately by wire transfer. Thirty minutes later, the transfer was complete, and the $185,000 invoice was paid.
Harry bumped into Sally later that afternoon and told her that everything was resolved. Sally had no idea what Harry was talking about. It was at that moment that Harry realized that he had fallen victim to a spear phishing attack. The money was long gone.
The Next Step After Being Victimized
Sally brought in CDW to help investigate the incident and improve the company’s security controls. After some digging, we found that an outside attacker had compromised Sally’s email account by discovering her email address in a credential dump from an unrelated online shopping website. Sally used the same password for her work email and this site, and the attacker had been monitoring her email for months, learning Sally’s communication style and the people she regularly worked with. The attackers also watched her calendar, waiting for the right moment to strike. Sally’s golf outing seemed to be the perfect opportunity, and it worked.
We can all learn from stories like this one. Here are a few tips that can help firms across industries shore up their security controls to protect against similar spear phishing attacks:
- Implement enhanced security awareness training. Most firms already have some type of security training, but many are woefully out of date. Modern awareness training programs should incorporate simulated phishing attacks. Users who fall victim to an attack should be sent directly into a training program to help them improve their phishing-detection skills.
- Use password vaults. CDW provides employees with access to the Keeper password vault for both personal and private use. These programs encourage the use of unique passwords for every account a user possesses — and keep corporate credentials out of password dumps.
- Update business processes. Sensitive business processes, such as financial transactions and human resources actions, should always follow formal processes, without exception. Accounts payable teams should never process financial transactions received by phone or email and instead rely on a consistent, reliable invoice intake and validation procedure.
CDW worked with Sally’s firm to implement all three of these security controls, and the company saw a marked improvement in its approach to cybersecurity. When CDW first ran a simulated phishing attack, 80 percent of employees receiving the messages clicked on the fake phishing link.
The repeated use of these tests and remedial training worked: In the most recent test, less than 12 percent of employees fell victim to the attack, and many reported the attempted phishing message to the IT team, allowing the security team to stop the attackers in their tracks.
This blog post brought to you by: