You get an email from the CEO of your company asking you – Can you wire some money and it outlines the account that the funds need to be wired to by 4pm that day. Do you go ahead and wire the money? If the amount they request is only $1000, does that make a difference? What if the amount is $50,000? Chances are that most people would be very cautious about wiring money without verifying or at least picking up the phone first. However believe it or not, we have seen instances of as much as $50,000 being wired without any verification being done. It happens every day!
This type of activity is what is referred to as a targeted spear phishing attack. Instead of mass emails going to everyone under the sun and using the law of averages that someone will click, enable, reply or whatever the desired outcome is, a spear phishing attack is much more crafty. Typically a spear phishing attack involves more preparation and planning and most likely some social engineering. These type of attacks target individual people that are in high ranking positions within the company – normally CEO, CFO, COO type positions. The reasons are that these people can typically make things happen and have the authority to interact financially.
These attacks typically have specific information that is relevant to the parties involved. Your first response might be that there is no way you would respond to an email asking – Can you wire some money. But, what if your organization is in the middle of a big project that is time sensitive and you have to get supplies ordered to meet the deadline and you get an email from your CEO saying can you wire some money to <insert normal vendor> and their account number is X? What if the email says we have to get a new bank account established in the new market we are expanding into and it has to be done today to insure we can have everything in order to close on the building. These are details that might lower your guard to what might normally be a red flag about wiring money. So the answer isn’t so black and white in those instances. These are the type of reactions spear phishing experts rely on. It may take months of planning and interacting with your team and staff to gain this type of insight but only seconds for an actual wire transfer to occur.
So What Can You Do To Protect Yourself and Your Company?
- First and foremost, you MUST have a policy in place for any payments via credit card, bank draft or bank wires. This policy must be in writing and every one of your employees that has access to these funds must sign off on the fact that they understand the policy and agree to it.
- Your policy should include some type of checks and balances to insure more than one person approves these type of transactions. If two people have to sign off on a transfer or payment, it is much more likely that one of them will question and want to verify the transaction.
- You want to make sure you have cyber-liability insurance, as well as general liability policies that can cover these type of instances. You need to have an insurance partner that you trust and can guide you on these policies because there are many policies that exempt this.
- You need to constantly train your staff against the dangers around this. This includes training your staff on what types of email, phone calls, texts and other communications are legitimate and how to check for signs that an email is not coming from a legitimate source. At DaZZee we offer our clients a structured training around this to help identify risks and how to avoid them on a regular basis. Victims of spear phishing attacks tend to want to try to blame technology first. However this is really not a technology issue but rather a policy issue. The emails that come in, are normally a legitimate email address that is just faked to looked like an internal email but upon closer inspection are not from the actual email account you are familiar with.
If you have any questions on how these types of attacks happen, what to be on the lookout for, or what DaZZee can do to help, please reach out to us. We would much rather you have a conversation with us even if you are not a client, than you be at risk and take a chance on your business livelihood.
Here are some external links about spear phishing and how the attacks are normally presented.