Spearphishing – A Corporate Path to Financial Ruin

If all of your company’s files suddenly became encrypted and inaccessible due to ransomware wasn’t enough, now sophisticated scammers are carefully plotting their next schemes through spearphishing.

Spearphishing is as the name implies a form of Phishing. As most of you know, Phishing is where you get a random email from your bank, your credit card company, or even the Government requesting you enter in personal information into a legitimate looking web site. The scammer is “phishing” for your information. However that innocent looking website is connected to a scammer and before you know it your bank accounts are cleaned out and your personal information is compromised. Spearphishing is a focused attack vector where scammers send targeted emails to a company’s employees with a forged header that makes the email appear to originate from a person of importance, such as a V-Level or C-Level executive. Unlike your traditional email virus or worm, anti-virus software is of little help with respect to phishing or spearphishing. Anti-spam filtering can help but many times spam filters are set to allow an organization’s emails through without checking.

In more organizations than not, the culture is based upon employee fear so nobody ever questions an executive request. When an executive says “Jump!” everyone is expected to just jump. Its this type of dangerous corporate culture which breeds the spearphish and allows it to be successful so often. A spearphish is accomplished by a scammer emailing an employee of a firm, usually someone known to be in the accounting or middle management areas that has spending and purchase order processing capability. The scammer uses the email address and name of a known C-Level or V-Level executive as the “From:” field, and the text of the email usually requests financial information being sent to a third party in order to satisfy an invoice, pay an outstanding bill, send a wire transfer, or issue a purchase order to a “new vendor”. The employee then, without checking with the executive who “wrote” the email because after all nobody questions the CEO, sends the requested information to the scammer. The scammer then has whatever financial information needed to either collect on a large invoice, or withdraw funds through a forged wire transfer.

Recently, a local restaurant chain was hit by a spearphish impersonating the CEO and a payroll specialist sent the IRS W-2 tax records complete with names, social security numbers, and income information for all employees to a scammer.

Spearphishing is becoming more sophisticated as scammers can access corporate records and registrations though Secretary of State databases, social media such as LinkedIn, and unscrupulous access to corporate credit sources such as Dun & Bradstreet. Piecing together data from such sources one can gain knowledge of the corporate structure and determine who to target in a spearphish email.

Defending your company against the spearphish requires due diligence when receiving an email from a V-Level or C-Level requesting/demanding actions that could involve financial transactions. Employees should never be afraid to ask a V or C-Level for personal verification of such emails in person or via voice phone no matter how legitimate the email might appear. A skilled spearphisher can be quite convincing, it’s no longer the badly broken English that was common with the known Nigerian 419 scams.

There are a couple methods – one technical one not so technical – that can be implemented to prevent spearphishing. One is implementation of digital certificates to “sign” emails. It’s rather clumsy to implement in Outlook and it depends upon employees receiving emails to check the digital certificate when accepting and reading the email. Implementing email certificates on a mobile device is kludgy at best right now.

Another method is essentially a form of the “sign/countersign” seen in a lot of old spy movies and on the 1960’s TV show “Get Smart”. The executive would establish a “phrase” with the employees that have fiduciary responsibility. The employees would understand that financial actions would require that phrase being included within the email. The employee would then confirm with the executive with an agreed upon counterphrase.

Of course, a corporate culture and environment where employees can converse with V- and C-Levels without fear of retribution when questioned about a task or request goes a long way in preventing spearphishing. Going to the CEO with a printout of the email or replying to the CEO with a simple “Are you sure about this? It looks suspicious” can prevent situations such as the local restaurant chain who now is facing all sorts of liability and possible legal actions by employees whose personal data is now in the hands of thieves.

And yes, IDSolutions sees multiple emails claiming to be from our CEO asking for wire transfers, bank routing information, payroll information, and other sensitive information. Thankfully, nobody from our teams have fallen for their tricks yet.