Spear Phishing: Latest Email Scams That Can Cost Your Business Huge Losses
The words ‘spear phishing’ may look like a misspelled sport, but it is in fact one of the most lethal computer scams. In 1995, phishing made its debut with emails and instant messages from unscrupulous individuals posing as legitimate employees requesting account verification and billing information with the intent of using the information illegally. After a massive information campaign, phishing all but withdrew to the shadows. That is until a few years ago when it took the form of “spear phishing.”
The Truth About Spear Phishing
According to experts, about 70% of all spear phishing emails are opened. Why? Employees open the spear phishing email because it looks legitimate – coming from a superior or business owner, if not top executive of the company. It preys on employees who want to get ahead; be noticed; please their boss.
Unfortunately, spear phishing comes in many forms: instant messaging, VOIP, social network sites, and SMS, among others. In addition, it can legitimately come from someone within an organization by a crafty employee who knows how to create email baits. Modern spear phishing is a major security wake-up call for all IT professionals, business owners, and corporate management.
Recently, the FBI revealed a new version of spear phishing which they have called “BEC” or Business Email Compromise scam. These spear phishing emails pretend to come from a top executive requesting for confidential data or funds. Since 2013, over $2.3 billion has been lost to these type of emails.
These BEC emails commonly request the following:
- Wire transfers
- Credit card information
- Copies of invoices
- W2 records
- Employee personal information
As you can see, these are confidential data found that can be found in Human Resources, Accounting, Finance, Sales, and Legal departments. If the requests are granted, your company can stand to lose not only business funds but also damage to reputation, invasion of privacy, and the trust of your existing customers. If the scam becomes public knowledge, it could cause the downfall of your business.
How to Prevent Spear Phishing
The most sophisticated security system is always the most recommended strategy but it would be an incomplete plan because spear phishing targets human weakness. Thus, employees must be educated on how to handle all corporate information.
Training should involve:
- How to detect possible spear phishing emails. There are telltale signs such as inconsistencies with past emails, strange greetings or use of formal name instead of nickname, abnormal tone, fake CVs to Human Resources (aimed at delivering malware), disregard for chain of command, or out-of-the-blue request
- Confirm before acting and stressing the need to authenticate any request for confidential information
- Possible consequences of emails scams and the need to be vigilant
- Methods of approaching a superior regarding a suspicious email
On the side of top management, top executives and supervisors including the Chief Finance Officer should stay on top of all disbursements – even petty funds. In addition, officers should do the following:
- Conduct periodic reviews and send out alerts to remind employees of the damage of spear phishing
- Lay down the ground rules for a safe culture where rank and file are allowed to question emails and other sensitive matters without fear of being rebuffed or punished
- Be part of the global environment on cyber security, not just on spear phishing, but all possible attacks on a corporation
- Establish a check and balance system with dual authorization for sensitive and confidential information or transfer of funds
It would be wrong to think that scammers only target large corporations. Studies show that as recent as 2016, these types of scammers prefer small to medium enterprises because they have fewer layers, more overworked staff and officers, and a more laid-back approach to emails. It’s time to address spear phishing no matter the size of your business or charity because scams will never stop evolving and attacking.
To learn how to protect your company or more information on this topic, please contact us or call us directly at 954.603.1515.