A CFO gets an email from his CEO: She is traveling, but needs $10 million transferred to an account to finalize an acquisition.
The CFO knows a deal is in the works, so he approves the transfer.
Poof! The money is gone forever. It turns out a fraudster sent the email.
Thieves typically use email phishing in BEC scams. With the names of company executives typically public, fraudsters search them on Facebook or LinkedIn to find upcoming travel such as a speech at a conference. With the executive away, fraudsters can spoof their email with a financial request that sounds plausible.
I know this scenario sounds unlikely, but as a practice architect for CDW’s Security Solutions Practice, I’ve seen it happen, along with countless other types of phishing attacks.
When it comes to phishing, technology rarely matters. The deception focuses on the exploitation of human traits. User education serves as the best defense.
Poor Grammar No Longer a Red Flag
BEC succeeds, in part, because everyone, from executives to interns, has a conditioned belief that emails in their work inbox are safe and they inherently need to respond to such correspondence. If the message comes from a colleague or another known source, users assume it is trustworthy.
The traditional advice of simply not opening messages from strangers holds true. But as fake messages from known names increase, it is not enough.
The reason is simple: Email from fraudsters continues to grow in sophistication. Instead of low-res company logos, fraudulent messages include high-res images to give the appearance of legitimacy. Grammar, once an easy signal that an email was fake, now rivals that of most business communication between native speakers.
Phishing attacks also exploit common business tools. Outlook automatically renders a message’s HTML, so attackers will embed an object into a logo or signature picture to facilitate bots and malware — all with no clicking from the recipient.
Fraudsters also cast a wide net. A recent PhishMe blog post crunches the numbers on this strategy. “They know that if their phishing message has a typical 25 percent success (click) rate and they send 10 of these emails to employees of their target, they have a 94 percent statistical chance that at least one person will fall victim,” the post says.
Make Vigilance the Gold Standard
Luckily, businesses can protect themselves against phishing attacks with the right strategy. These simple tips can help defend your company’s assets and workforce from would-be fraudsters.
Create a secret handshake. Executives and managers can choose a non sequitur to use when approving something major, such as a six-figure wire transfer, via email. If the message doesn’t include that phrase, they’ll know to stop and call the colleague to confirm.
Keep a watchful eye. For all users, businesses should consider a robust anti-phishing education campaign that includes the ability to measure the results.. Programs, such as Phishme Intelligence, provide IT managers, CIOs and chief security officers with an aggregate view of the types of phishing attacks their employees fall for. Leaders can use that information to focus training efforts.
Instruct every employee. Users must also realize the severity of phishing. Some users believe they play such a minor role in a company that hackers won’t target them. This attitude opens back doors to fraudsters, providing another example of why successful anti-phishing strategies focus on humans rather than technology.
Keeping email safe is only one piece of the security puzzle. Learn how CDW can help you figure out where else to focus your security efforts through a security risk assessment.
This blog post brought to you by: