Spear phishing – don’t get caught
June 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
We’ve all seen it before – a Nigerian prince wishes to relocate because of the deplorable conditions in his country, but he is afraid that the government will seize his assets. He wants a trustworthy source (that’s you) to whom he can transfer the millions of dollars in his personal account until he can successfully relocate, at which time he will cut you in for 10 to 50 percent of the funds for being so helpful. All you have to do is provide your bank account details so the prince can take all your money.
The prince made a fortune for quite a while, but most people do not fall for this type of scam (called a phishing scam) any more. Even the more plausible versions of the scam (clicking on a link to read the subpoena that has been served on you or the details of the package waiting for you at “Fedderal Expres”) can easily be spotted because they are rife with misspellings, grammatical mistakes or fake source email addresses. Moreover, we have lived with these scams for so long that most people know not to open strange attachments that they were not expecting.
Better know what’s spear phishing is
Enter the spear phishing, or business email compromise (BEC) attack, one of the latest, and more insidious, scams to sweep across the globe. Unlike phishing attacks, which come from a complete stranger or a generic email address, spear phishing emails purport to come from someone who works at the same company as you – usually someone with a high level of authority (a team leader or boss or even a c-level officer). Moreover, they will appear to come from the superior’s actual company email address, either because the scammers have successfully hacked into their company (or personal) email account, or because they can spoof the email to make it look like it is coming from that address.
The spear phishing email will almost always reference some project that you or your team or your company is working on, with just enough details to make it sound like the sender knows what they are talking about. This is because the scammers have actually done some research into your company, the type of business that it conducts and the key players in the organisation. If they have somehow managed to already hack into the superior’s work or personal email address, they may even have details of specific transactions that are taking place, key geographic areas where the company is operating or other organisations (lawyers, accountants and the like) involved with the deal. They will also have done research into how the superior writes and will thus use particular phrases or sentence patterns to make the email seem even more authentic.
What’s the message?
The spear phishing email will, of course, contain some sort of request to the recipient. In many instances, the sender will ask you to open a file, purportedly a key document necessary for the referenced project but really a malicious executable file designed to give the scammers even greater access to your systems. Other emails will ask you to transfer a certain sum of money to a designated bank account, presumably because “the deal can’t go through without this key deposit”.
Sometimes, however, the email does not ask for anything, but instead refers you to another professional who will give you further instructions.
For example, the company’s president needs you to send a deposit for a highly confidential business transaction, but rather than asking for the transfer outright, he tells you that you need to contact the lawyer working on the transaction and gives you his contact information (but do not call the phone number – this is highly sensitive, after all). A quick search may reveal that there actually is a partner at the firm in question going by the name referenced in the email, though assuredly that partner has nothing to do with any of this; the email address will often be incorrect. However, it may certainly look plausible, and when you send an email requesting the additional details (because, you know, the boss attaches “special importance” to this project), the scammer, pretending to be the partner in question, will give you all of the information you need to wire the deposit to the scammers’ temporary bank account in Chechnya, where it will immediately be moved to another account to avoid recovery once you realise your mistake.
Because the email seems to come from a trusted source and has a lot of details that, supposedly, only someone working on the project would actually know, the normal instinct is to comply. However, the results of doing so can be catastrophic – anything from locking down your computer systems to the funnelling of hundreds of thousands of dollars in company money to untraceable accounts. In fact, one survey put the average cost of a spear phishing attack in 2015 at approximately $1.8m.
Advice on how to avoid being speared
So how do you avoid being the next ‘phish’ to be caught? The best thing that you can do when you receive a request like the one referenced above is to phone the sender directly (not at the number listed in the email – find the phone number of your superior independently) and ask them if they sent it. If they acknowledge the request, then you are in the clear; if they do not know what you are talking about, then you have successfully foiled another attempt to gain unauthorised access. Do not send an email confirming the request – if the scammers are already in your system, they may have complete control over your email system, including the ability to intercept emails or change their content. Long term, your company might want to consider multi-factor authorisation for payment requests. This might involve verbal confirmation, as indicated above, or actual written and signed confirmation from someone in the finance department. These processes will ensure that at least two real people in the company have reviewed the request and investigated its authenticity.
Training, training, training
The other preventative measure that you can take is employee training. A recent report indicates that over one-third of all security breaches in 2015 were the result of employee negligence. While it will not eliminate all employee mistakes, training your workforce to detect this and other types of cyber fraud will go a long way toward reducing your exposure. It will also help them be more aware when it comes to other cyber security issues such as password creation and the use of devices in public areas.
Finally, consider purchasing cyber insurance to cover this type of loss. Normal CGL policies are unlikely to insure against these complex and relatively new types of attacks, and there are actually a couple of cases working their way through the courts in the United States where insurers are disputing coverage under them. Cyber insurance is specifically tailored to address these problems – just make sure that you consult with an attorney to ensure that you are getting exactly the coverage that you need.
And what if it is too late? What if you have already sent the money off? Contact your financial institution immediately and request that they contact the financial institution where the money was sent. They might be able to get the money back, if too much time has not elapsed. Also, regardless of the amount involved, in the US the government asks that people file a complaint with the Internet Crime Complaint Center, also known as IC3. IC3 is a multi-agency task force made up by the FBI, the National White Collar Crime Centre, and the Bureau of Justice Assistance. It gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations on the internet. It may not get your company’s money back, but it might help law enforcement prevent the next attack.
There is no doubt that email scams have evolved considerably over the last decade. While you will still get the occasional email with the title “Hey, look at this!” that instructs you to open a mysterious attachment, the more likely communication will appear to come from a trusted and authoritative source. Email scams are far more professional, and that is also who they are targeting.
Peter S. Vogel is a partner and Eric Levy is a senior attorney at Gardere. Mr Vogel can be contacted on +1 (214) 999 4422 or by email: firstname.lastname@example.org. Mr Levy can be contacted on +1 (214) 999 4918 or by email: email@example.com.
© Financier Worldwide
Peter S. Vogel and Eric Levy