A CFO gets an email from his CEO: She is traveling, but needs $10 million transferred to an account to finalize an acquisition.

The CFO knows a deal is in the works, so he approves the transfer.

Poof! The money is gone forever. It turns out a fraudster sent the email.

Farfetched? Hardly.

This trick — known as “business email compromise” (BEC) — accounted for more than $1.2 billion in stolen money between October 2013 and August 2015 alone, the FBI says.

Thieves typically use email phishing in BEC scams. With the names of company executives typically public, fraudsters search them on Facebook or LinkedIn to find upcoming travel such as a speech at a conference. With the executive away, fraudsters can spoof their email with a financial request that sounds plausible.

I know this scenario sounds unlikely, but as a practice architect for CDW’s Security Solutions Practice, I’ve seen it happen, along with countless other types of phishing attacks.

When it comes to phishing, technology rarely matters. The deception focuses on the exploitation of human traits. User education serves as the best defense.

Poor Grammar No Longer a Red Flag

BEC succeeds, in part, because everyone, from executives to interns, has a conditioned belief that emails in their work inbox are safe and they inherently need to respond to such correspondence. If the message comes from a colleague or another known source, users assume it is trustworthy.

The traditional advice of simply not opening messages from strangers holds true. But as fake messages from known names increase, it is not enough.

The reason is simple: Email from fraudsters continues to grow in sophistication. Instead of low-res company logos, fraudulent messages include high-res images to give the appearance of legitimacy. Grammar, once an easy signal that an email was fake, now rivals that of most business communication between native speakers.

Phishing attacks also exploit common business tools. Outlook automatically renders a message’s HTML, so attackers will embed an object into a logo or signature picture to facilitate bots and malware — all with no clicking from the recipient.

Fraudsters also cast a wide net. A recent PhishMe blog post crunches the numbers on this strategy. “They know that if their phishing message has a typical 25 percent success (click) rate and they send 10 of these emails to employees of their target, they have a 94 percent statistical chance that at least one person will fall victim,” the post says.

Make Vigilance the Gold Standard

Luckily, businesses can protect themselves against phishing attacks with the right strategy. These simple tips can help defend your company’s assets and workforce from would-be fraudsters.

Create a secret handshake. Executives and managers can choose a non sequitur to use when approving something major, such as a six-figure wire transfer, via email. If the message doesn’t include that phrase, they’ll know to stop and call the colleague to confirm.

Keep a watchful eye. For all users, businesses should consider a robust anti-phishing education campaign that includes the ability to measure the results.. Programs, such as Phishme Intelligence, provide IT managers, CIOs and chief security officers with an aggregate view of the types of phishing attacks their employees fall for. Leaders can use that information to focus training efforts.

Instruct every employee. Users must also realize the severity of phishing. Some users believe they play such a minor role in a company that hackers won’t target them. This attitude opens back doors to fraudsters, providing another example of why successful anti-phishing strategies focus on humans rather than technology.

Keeping email safe is only one piece of the security puzzle. Learn how CDW can help you figure out where else to focus your security efforts through a security risk assessment.

This blog post brought to you by:


8 thoughts on “The Secret Handshake and Other Anti-Phishing Tips

  • Doc Holliday DDS says:

    This idea of a secret handshake is reminiscent of traditional, bulletproof and uncrackable hardware communication – pen and paper notes. Sometimes, the old methods work best.

  • How about never transferring money on the basis of an email. Just require a person to person telephone call to authorize it. Besides, for that amount of money, some prior coordination should have been in place.

  • Great advice for anyone not only business executives. I was unaware of the sophistication as well the depth of this issue. To think anyone would transfer 10 million to an unknown account seems unthinkable. I guess not! Thanks for educating all of us. The secret handshake is a great tactic.

  • John Brows says:

    Much better to use cryptographically signed e-mail (S/MIME) that guarantees the integrity and authorship of e-mails.

  • A-Razaque Ahmed says:

    Phishing is simple because organizations become complacent about security awareness and human behavior. They should constantly refresh their employees in awareness and conduct impromptu internal control tests as part of a compounding management review process.

Comments are closed.