We all know better. We’ve all seen the articles explaining that phishing is a real and persistent threat, and we’ve been warned ad nauseam not to click on suspicious links. Yet we also know just how easy it is to mess up and click on that link.
One type of phishing is growing explosively and targeting the people who pay bills and manage human resources in companies, government departments, and non-profit organizations. According to a report by the Better Business Bureau (BBB), the new attacks—sometimes called “spear phishing,” “whaling,” or “mandate fraud”—start with an email that appears to come from a high-ranking member of the organization. The scammers have either hacked into the email account of a specific person, the CEO, for example, or set up a bogus email that looks like the CEO’s.
The email typically targets a specific person in the organization, too, like the CFO, the head of HR, or someone else with direct access to financial accounts or HR records. The email may look like a request from a senior staffer to have their paycheck deposited into a new bank account or from the CEO requesting updated personal tax records. Sometimes the email request may be as simple asking for a request for a gift card.
This type of scam is happening with alarming frequency, too. An astonishing 80% of businesses in the United States have been targeted with some kind of payment fraud or business email compromise (BEC) scam, according to a report by J.P. Morgan. The FBI says this spike has resulted in more losses that any other type of fraud in our country, the BBB report notes.
One source in the BBB report says when wire transfers are involved with spear phishing scams, the average loss to companies comes to $35,000. Arguably the most infamous corporate phishing attack in recent years is the one that Lithuanian national Evaldas Rimasauskas pleaded guilty for in March, which saw him raking in some $100 million from Google and Facebook before his arrest two years ago.
The BBB report is both fascinating and unnerving, and leaves organizations with a few major takeaways.
1. Implement technical barriers
Good training can go a long way toward helping stop BEC attacks before they start, but it’s not foolproof. The BBB report makes a strong case that for impersonation emails to work, they have to appear to come from within the organization’s email system, so it’s imperative to add layers of protection there.
“The tricky part about BEC attacks is that they aren’t detectable by conventional anti-virus solutions,” notes Miriam Cihodariu of Heimdal Security. Like all social engineering attacks, she points out these attacks rely on human reaction to work.
As a first step, Cihodariu recommends requiring multifactor authentication, so potential scammers cannot log into the system. Also, add a warning message to emails originating from outside your organization. Email administrators also should be vigilant about unusual forwarding rules or autoresponders often set up by hackers to prevent the actual email owner of the account from noticing that anything is amiss.
Other Articles From AllBusiness.com:
2. Typical security awareness training doesn’t work
Clearly, being forewarned is important. But the type of conventional awareness training companies have been opting for, the BBB report demonstrates, isn’t doing the job.
That’s because hackers behind phishing attacks are becoming increasingly adept at tapping into people’s emotions, explains Mika Aalto, co-founder and CEO of HoxHunt, a security training provider. “If you generate enough fear or threat, a person will easily do something irrational, like open a shady attachment, even though they know perfectly well they shouldn’t.”
This explains why senior citizens so easily fall prey to scams about their grandchildren needing money. It also explains why perfectly rational, highly-placed professional people will do odd things when they think it’s their CEO asking.
The solution, according to Aalto, is to go beyond the typical e-learning style of threat awareness and implement a training program where employees learn in real time through practical exercises. His company provides staff security training that sends personalized phishing simulations based on the user’s role in the company. Progress is measured and results are displayed on a dashboard interface so the security team can spot potential trouble areas and less compliant employees.