Email “Spear Phishing” Alert

September 29th, 2015

Email was not originally designed to be secure. 
There Is an advanced targeted spear phishing attack where the CFO/controller or similar position of a company receives a fake email message (also known as a "spoofed" email message) from the CEO or other company executive. Basically the message advises the controller to send money to a receiving account - this is not a genuine request. Since many accounting people may be unaware, some people have transferred hundreds and/or millions of dollars to these fake accounts, greatly profiting the crime organizations that sponsor them. We want our clients, and everyone, to realize this and to be aware!

While companies try to prevent every single one of these attacks utilizing tools such as anti-spam filters, they change so quickly, there is a chance a single "evolved" attack could make it through these types of barriers. The nature of spear phishing attacks are that they are targeted, meaning they identify a company, go to the website and only send one email to the person in charge of finances after they determine executive relationships for the firm. Smallness in volume helps the attack bypass normal security measures.

There are things that a small business can do to protect themselves. Here is my short list below.

1) Again, do not trust email.  Email should never be believed to be secure, as security was never its intention. Email was designed to easily and consistently transfer messages between locations using the SMTP protocol. Verify every request that have financial impacts, as technical people can make an email message look like it came from someone else. Opt to transfer sensitive financial information via a more secure route.

2) Communicate well in your organization. There should be good financial controls, even in the smallest of firms, for the disbursement and allocation of funds.

3) Make sure we are attentive to writing styles  Pay attention to individual style in your typical communication with your key people.  Some people keep it simple and brief.  Others tend to be more detailed or flowery and other people use very specific language.  A simple variance in the pattern could be a valuable heads-up.

4) Promote security awareness among your team members that use computers. Use what works for you whether it is a short meeting once a quarter, a periodic newsletter or posters around the office.


Additional References:

Here's a previous heads-up from the FBI, lots of good additional info here.