When you think of “shifty” emails, you usually think of poor grammar and a suspicious sender—someone asking for money in exchange for some unknown product. These types of emails are easy to spot, and only the most gullible are likely to fall for such an obvious trick. That being said, email scammers have adapted to our increasingly savvy—and weary—internet-fluent society.
If simple ploys won’t work, scammers use more sophisticated tactics. Some attacks focus on the person receiving those suspicious emails. Sometimes, it is easier to hack a human than a computer system. As opposed to the blatantly nefarious emails that sometimes enter our inboxes, “spear phishing” attacks look authentic. Spear phishing emails appear to be sent from someone you know or an organization with which you are familiar. They may contain links that, once clicked, install a virus on your computer. In some cases, they may even appear to be emails coming from your boss requesting that you immediately deposit large sums of money.
This particular brand of spear phishing—commonly known as “CEO spoofing”—has tricked companies into losing millions of dollars. By posing as the CEO, who is usually (conveniently) out of town, a scammer will send an email to employees requesting that money be immediately deposited into an account. These emails may contain the company seal or the CEO’s signature and, at first glance, appear to be entirely authentic.
This degree of deception requires lots of planning. From deducing when a CEO will be physically absent from the office to analyzing a company’s email format, this brand of cyber criminal is purposeful. If an employee believes the email is a legitimate request, they will follow through and only realize a horrible mistake has been made once it is too late.
In 2014 Upsher-Smith Laboratories, a prominent drug company, fell victim to this kind of attack. Over a few weeks, nine wire transfers were requested by an employee who thought those transfers were authorized by the CEO. Though the company was able to recall one of the wires successfully, a total of nearly $40 million dollars plus interest was lost. A simple email trick cost this company millions of dollars plus an ongoing lawsuit with the bank that initiated the wire transfers, Fifth Third Bank, in spite of the obvious red flags that marked the exchanges. Given the expensive repercussions, the aftermath of spear phishing is usually characterized by attempts to assign blame and determine responsibility.
The warning signs that were overlooked by the bank were also overlooked by the victim of the attack. First, the sheer number of transfers and their amounts was staggering. Additionally, the emails demanded that the money be transferred immediately and in confidence, both of which deviated from the company’s usual procedures. Certain beneficiary names, at least in retrospect, seemed suspicious. In spite of these signs, this scam succeeded nine times. Even significant departures from regular policy are often overlooked when the email itself looks authentic and seems urgent.
The authentic look and feel of the emails, in addition to the planning involved, is a type of social engineering attack. The scammer relies on deceiving the employee by making them feel secure and comfortable in transferring the money. By demanding an atmosphere of confidentiality, the scammer effectively targets and isolates the single employee. The scammer only has to trick the one person capable of initiating the transfers or fulfilling the request. The sense of urgency often seen in these emails pressures the employee to act quickly and without further clarification or approval.
Another even more targeted brand of spear phishing attempts to get W-2 information from HR professionals and payroll companies. It is also an attack that frequently targets law firms. W-2 and similar data often include an employee’s home address, salary information, or social security number among other pieces of identifying information. For a cyber criminal, this kind of information can be sold on the dark web or used by the criminal themselves.
Instead of sending an email requesting wire transfers, these emails ask for employee W-2 forms, with the perpetrator posing as the company’s CEO or other authorized representative. Without verifying the veracity of the email, the employee sends confidential information. Like spear phishing attacks in general, these attacks prey on individual weaknesses more so than digital vulnerabilities.
To guard against this, employees should be encouraged to double check and verify requests with third parties. Some spear phishing attacks have been circumvented by simply asking in person whether or not a request had actually been made. In handling a situation that could have dire consequences for a company, it is better to be mildly inconvenienced than lose critical employee information or company money.
However, creating an atmosphere of cyber security is ultimately the responsibility of the company. Keeping abreast of hacking and scamming trends is an essential feature of a robust security policy. Employees must be informed and educated when it comes to new threats, especially threats that target them directly. Since spear phishing attacks go after human vulnerabilities instead of digital ones, it is critical that employees be made aware of the types of breaches they may encounter. For other email scams, such as emails containing a link that either installs a virus or grants access to a hacker, simple steps like training employees to “hover” over links to see the URL and prompting manual typing of webpage addresses helps. However, for attacks like CEO spoofing, attention to detail and an emphasis on double checking is important. If an emailed request from the CEO or managing partner seems even remotely strange or clearly differs from normal protocol, further clarification and assurance ought to be obtained.
Given the risk, it is always better to be safe than sorry.