We receive hundreds of junk emails every day, 99% of which get sorted by our anti-spam software. The 1% that make it through still tend to be pretty obvious 419 scams – interestingly the poor quality of these emails is part of the cost economics of running such scams, but that’s another article.
What made today interesting is our Finance Director received an email from me, the Managing Director of the company.
Here it is in full:
Please I will need you to take care of a financial obligation for me today. What is the required information needed for you to process a Wire transfer?
Sent from my iPhone
Aside from the poor grammar and the fact it was purportedly from my "iPhone" (both of which our FD knows I’m not keen on), it was a pretty convincing email. They spoofed my email address well enough to fool Outlook into sorting it into a folder and they’d specifically targeted the two people in the organisation who could ‘potentially’ request and carry out a money transfer quickly.
In reality, they would have failed at the first hurdle as we, like all companies with good financial policies and procedures, have checks and balances in place to prevent any one person unilaterally setting up a new account and transferring money.
Fortunately they didn’t get even that far though as our FD instantly recognised this as an attempt at ‘social engineering’ – in other words, a non-technical method of intrusion that scammers and hackers use which relies on tricking people into breaking normal security procedures.
It is one of the most old fashioned forms of personal and corporate scamming – pre-internet practitioners were commonly referred to as ‘confidence men’ and their art as a ‘confidence trick’ or just a ‘con’.
Big companies are particularly vulnerable to this kind of attack, otherwise known as "spear-phishing". Ubiquiti Networks Inc. lost $46.7M in a cyber-scam in August "in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers."
Unlike the standard types of "phishing" which usually contain subject lines such as "Verify your activity" or "Account security notification" and the net is cast far and wide, ‘spear-phishing’ is targeted at individuals and it employs clever techniques such as sending emails on Friday afternoons (when people are tired and bank transfers can’t be easily reversed).
As with our example above, sometimes they don’t even contain a clickable link (something people are already wary of and which is likely to be caught by anti-virus and spam filters) but simply contain an innocuous request for information.
So what can companies do to protect themselves against this kind of attack?
– URL sandboxing: This is basically some software that checks the URL links embedded within emails at the point a user clicks on it. If it’s dodgy, the software prevents the link from being opened.
– Real-time monitoring of web traffic: If one of your users has a personal Gmail account, the URL sandboxing may not work. Real-time monitoring of web traffic should pick this up and stop the vast majority of accidental malware clicks.
– Staff and client education: The reason these attacks work is because it is human nature to be helpful. If your staff and clients are aware of this kind of attack they can be better prepared to spot it when it happens. Give team training sessions, send out videos and articles about the threats (and consequences) and even consider testing them with a pretend attack.
Above all, better knowledge of the risks posed by this kind of attack is your best defence – which is why I wrote this article.