Commercial phishing: Don’t let culprits snag you
Providing data security training is effective stepApril 8th, 2016
It’s a situation that happens all too often: A member of a company’s executive leadership team is away on travel. In this case, let’s say it’s the CEO, who has set up the customary automatic “out of office” email response. But unbeknownst to the CEO or to colleagues, the email address has been compromised by a hacker.
The CFO receives a message that appears to be from the CEO and that requests a large wire transfer of funds. The CFO proceeds to wire the money according to the instructions provided, only to learn— too late—that the request wasn’t legitimate, and the funds are gone. With the prospect of a lengthy and near-impossible process to recover the cash, the business ends up taking a financial hit.
The above scenario happens regularly, with the latest public example resulting in the loss of more than $80 million from Bangladesh Bank.
Phishing, a scam in which an individual is duped into revealing personal, identifying information over email, is becoming all too common and is increasingly targeting business executives. In the commercial version of this fraud, business emails are hacked by criminals posing as employees, service providers or customers.
The emails often appear within the norm, using company names, logos and links that are familiar. Upon clicking on included links which lead to websites masquerading as legitimate, employees are asked to update personal information, from Social Security numbers and bank account details to user names and passwords.
Commercial phishing and associated CEO fraud is a growing problem, and by the FBI’s latest calculations released in February, the cost to U.S. businesses has risen to $2 billion since October 2013. It’s not an issue that’s isolated to large companies; it’s an issue plaguing businesses of all sizes.
In fact, small organizations are significantly more vulnerable to fraud than larger one since they are more likely to neglect basic antifraud controls.
So how do attackers transition from hacking corporate email to executing wire fraud? Commercial phishing has evolved to embrace social engineering, where criminals assume a role that enables them to ask various questions of those inside a company without arousing suspicion.
New employees, clients, or service providers, for instance, are expected to need some direction on company policies and processes. The information gleaned from unsuspecting company representatives may be enough to piece together a way to hack into the company’s network. Plus, criminals often tap social media for more details that add credibility to their stories.
Once inside the corporate network, criminals watch email accounts patiently, particularly those of C-Suite employees.
Through monitoring, attackers can gain knowledge about an executive’s travel schedule and movements, which can aid in timing an attack as in the scenario introduced above. By timing a request to reach the targeted individual, the CFO, when the CEO may be aboard a flight or vacationing on a remote island, a fraudster is betting that the urgency of a request will override any desire to miss a critical transaction or disrupt the CEO. And by the time the CEO does receive confirmation of the transaction, it will be too late to remedy the situation.
The Anti-Phishing Work Group received more than 1 million unique phishing reports in the first three quarters of 2015 and reports getting more than twice as many submissions now than in 2014. Further, the FBI reported that global losses attributed to business email compromise scams increased 270 percent from January to August of last year.
As businesses get wise to one scam, another appears and then another. Currently, businesses are reporting a number of IRS-related covers for fraud. Through phishing, criminals are posing as IRS agents, capitalizing on the authority of that agency. Seemingly official emails request W-2 forms for all employees, which provide a wealth of personal information. In the same vein, criminals are using email addresses that appear legitimate, with names similar to those used by actual companies.
Although commercial phishing shows little sign of abating, businesses can take steps to protect themselves and their employees. One of the most effective measures against phishing is information security training. Companies should establish a protocol for all employees to follow and execute trainings to ensure they’re aware of their roles and responsibilities in protecting company—and personal—information. Additional layers of security, such as requiring verification phone calls for any instructions received via email, also may be instituted.
Beyond keeping personnel apprised of threats and appropriate responses, businesses should conduct regular audits to assess their information systems and devices to determine areas that may be vulnerable. To assess an information security environment, organizations should consider reviewing their selected approach for backups of servers and workstations. They also should consider reviewing anti-malware and anti-virus controls, network perimeter protections, patch management programs for critical software, protection for portable devices such as laptops and tablets, and controls for remote access and wireless technology.
Finally, companies should work with their financial partners to determine which types of bank fraud prevention services may be available to mitigate risk. Some financial institutions may offer monitoring services or security layers to catch potentially fraudulent activity before it goes too far.
By remaining vigilant and taking a well-considered approach to monitoring and maintaining an information security environment, businesses can meet the threat of commercial phishing with greater confidence.
Troy Wunderlich is a vice president and director of risk management with Spokane-based Washington Trust Bank.