My alternative title for this post was " The IRS, a Nigerian Prince, and your CEO walk into a bar."
As you may have guessed, my last blog post of 2017 is about phishing. We have all received these e-mails. Usually written in either poor English or proper English (UK version), has typos, and written as a generic situation so the same e-mail can be sent to thousands of targets. In most cases, the average person can spot them pretty quickly and don’t fall for them. Although, you have to imagine that a certain percentage of folks must fall victim to them, or else the criminals would stop using this tactic. Over the last few years as more people have become aware of these scams, and as their success rate has declined, the cyber criminals have begun to do their homework. They are now having Americans write the e-mails to get around the language barrier (George Bernard Shaw would be proud), and more and more have changed their approach to spear phishing combined with Business Email Compromise or BEC for short.
As you may have guessed, my last blog post of 2017 is about phishing. We have all received these e-mails. Usually written in either poor English or proper English (UK version), has typos, and written as a generic situation so the same e-mail can be sent to thousands of targets. In most cases, the average person can spot them pretty quickly and don’t fall for them. Although, you have to imagine that a certain percentage of folks must fall victim to them, or else the criminals would stop using this tactic. Over the last few years as more people have become aware of these scams, and as their success rate has declined, the cyber criminals have begun to do their homework. They are now having Americans write the e-mails to get around the language barrier (George Bernard Shaw would be proud), and more and more have changed their approach to spear phishing combined with Business Email Compromise or BEC for short.
Spear phishing, or targeted phishing, is where the criminals
attempt to learn as much as possible about you online in order to gain your
confidence. While this is used against
individuals, it is more commonly used against businesses, schools, churches,
and other not for profits. The reasons
are many. First off, businesses and not
for profit organizations have more money than the average individual, so it is
more profitable to target an organization.
Secondly, businesses and not for profits tend to be very verbose online
about their organization, events, officers, employees, board members, what
software they use, etc., so the attackers can quickly accumulate a lot of
intelligence on their target with a few Google, LinkedIn, and Facebook
searches. Thirdly, let’s face it, human
nature is that we all want to be seen at work as cooperative and helpful to our
executives. This plays into the social
engineering aspect of phishing. An
additional factor is that very few small to medium sized organizations provide
their employees with security awareness training, mock phishing exercises, or have procedures in place
to counter phishing attempts. Given
these reasons, small businesses and not for profits are becoming the target of
choice by cyber criminals.
So how has this occurred historically? Below is an actual scenario that I observed (the names have been changed for privacy purposes):
The CEO and his/her spouse goes to Europe for a 2 week
vacation. While there, the CEO checks in
on Facebook at various tourist attractions, and posts photos every night of the
places they visited that day. Meanwhile,
early in the month the company issued a press release about a new location that
they will be breaking ground in the coming month to expand their customer
footprint. Details include the name of
the general contractor, and specifics about the square footage of the office
space and amount the company is investing in the building. And the final piece to the puzzle, Mary the
controller is very descriptive of her cash management duties for the company on
her public LinkedIn profile.
The attacker spoofs the CEO’s e-mail (this is where BEC plays it's part), and sends Mary an
e-mail stating:
========================================================================
From: CEO@VictimCorp.com
Subject: Need to Wire Construction Deposit ASAP!
Hi Mary,
I need you to do me a favor while I’m on vacation. I just got a call from <name of general
contractor firm>, they need us to wire a deposit to XYZ Co. so they can
order the HVAC equipment now to ensure there will be no delays in the construction of our new Pine St. office. Please wire
$50,000 to ABC Bank, <routing number>, and <account #> for the
benefit of XYZ Co. Please send ASAP!
Thanks,
CEO
PS: We are having a great time in
Paris.
========================================================================
So do you want Vegas odds on whether or not Mary quickly
wires the money without calling the CEO to verify the transaction?
Every day, small businesses and not for profits are being
spear phished in a manner similar to the above scenario. And every day, a number of these organizations
are robbed of millions of dollars.
Do you think your organization could fall for this?
Are your employees trained in how to spot these?
Do you have procedures in place to verify any unusual
banking transactions?
This is why security awareness training needs to be a key part your overall information security program. A cyber criminal can steal thousands, possibly millions, or get your customer and employee data without ever having to crack a password, infect your systems with a virus, or bypass your firewalls. They can get your own employees to send them money or data using low tech methods that I regret to say, have been very effective during 2017.
Be Secure in the new Year!
No comments:
Post a Comment