5 Things You Need to Know About Spearphishing

Charles KillmerCybersecurity & Compliance, Financial IT, Healthcare IT

The FBI reports that Business Email Compromise (BEC) scams have cost companies over two billion in the past two years. Further, Aviva reports that after your company is breached, 60 percent of your customers will think about moving and 30 percent actually do. According to Intel, 97 percent of people around the world cannot identify a sophisticated phishing email.

The statistics speak for themselves – phishing is a dangerous and, unfortunately, very effective method of fraud.

There are several different types of phishing, but the focus of this post is specifically on spearphishing, a lesser discussed but more effective type of phishing.

Here are five questions, along with their answers, that will help you and your organization be savvier to spearphishing attacks:

1. What is it?
Spearphishing is an email attack that targets specific individuals or organizations with the intent of gaining access to sensitive information, most often financial information. Spearphishing messages typically appear to come from a trusted colleague, many times a colleague in a position of authority requesting an action to be taken. This action often compromises the financial or trade secrets of the organization.

2. How is spearphishing different than phishing?
Whereas phishing is a broad attempt at hacking anyone and everyone, spearphishing is more targeted and calculated. A similar type of email attack to spearphishing is called “whaling,” which is an attack that targets executives, C-levels and authoritative figures with a large anticipated pay out.

3. How do they do it?
Spearphishing attacks are very deliberate. Many times, hackers will spend weeks or sometimes months monitoring the way an executive communicates, nicknames she uses or key words and phrases she often uses. Then the hacker will pose as that executive and make requests to subordinates and mimic her communication patterns to come across as natural. Unfortunately, these types of phishing attempts are very successful.

4. Has Netgain seen successful spearphishing attacks?
Unfortunately, yes, we’ve had a handful of clients fall victim to spearphishing attacks in the last year. One particularly unfortunate event resulted in over $250,000 being wire-transferred to a fraudulent account. In this situation, the executive’s account was compromised. The hacker was able to log into the email web interface and read through the executive’s email history to better understand how to talk to the person authorized to make wire transfers, which in this case was the executive’s secretary. The hacker mimicked the executive’s email address, font choice and tone of voice enough that the secretary did not question the request. Over the course of a month, a quarter of a million dollars was transferred to the fraudulent account. There is really no technical control or training that could have prevented this from occurring. The best option in this situation would have been for the secretary to call the executive and get verbal authorization for the wire transfers.Internally, we’ve seen spearphishing attempts as well. For instance, in the screenshot below, you can see an example of a spearphishing attempt where hackers impersonated Netgain’s Founder, Scott Warzecha, and sent an email to our VP of Finance, Franco Cusipag, requesting a transfer of funds. Thankfully, Franco flagged this as a suspicious email and called Scott to verify the transfer. This verification, of course, proved the email was a hack.

5. How can we protect ourselves?
While there is no way to prevent spearphishing attempts, you can be hypervigilant about a few things that will help protect you and your organization from falling victim to these attacks.

a. Train your employees! We cannot stress this enough. With the rate at which attacks and subsequent data breaches are happening, everyone should be trained, reminded, re-trained, updated and tested on the latest cybersecurity protocols.

b. Employ Data Loss Prevention (DLP). While DLP doesn’t block against insider issues, it will ensure end users do not accidentally send sensitive or critical information outside the corporate network.

c. Set up dual approval requirements and transaction limits with your bank. This requires that two people review each transfer or transaction over a designated amount.

d. Enforce the use of complex passwords.

e. Review (and change if needed) your organization’s process on how to handle wire transfers. Wire transfer requests should always require a phone call; it’s easier to fake an email than a voice and phone number.

SANS Institute reports 95 percent of all attacks on enterprise networks are the result of successful spearphishing.

Phishing attacks are getting more and more difficult to detect as con artists continue to come up with new attack methods. Taking precautions and promoting paranoia in your organization is a great first step at protecting your organization before it’s too late. If a request comes through that could possibly harm your organization, always err on the side that it is malicious and seek additional confirmation.