Spam emails that try to solicit personal information, known as phishing, are taking advantage of corporate servile culture with messages feigned to resemble that of a company CEO, addressed to the firm’s executives.
“Someone will spoof an email to the CFO or controller and it will purport to be from the CEO,” Christopher Novak, managing principal and security expert at Verizon Business told American Banker. “The email will say something like, we need to sponsor this event or pay this vendor, it’s urgent and I need you to wire $100,000 into this account immediately, we’re already 30 days late. Because it’s from the CEO, other staff will expedite the request.”
Andrew Valentine, a security expert and principal with Verizon Enterprise Solutions, said he has seen large number of cases in which a CEO gets an email that looks to be from the CFO, or a similar variation.
“Ninety-five percent of the cases originating from China start with just this kind of attack,” Valentine said. “It’s one of the reasons I hate the phrase ‘Advanced Persistent Threat,’ or APT. There’s nothing advanced about a phishing e-mail.”
In one instance at an engineering firm, Valentine said, an executive was the target of a phishing attack with an email addressed from the company CFO.
“The CFO’s name was spelled incorrectly, it was a Yahoo email address rather than an internal one, and you had to double-click on a zip file attachment,” Valentine said. “There were so many red flags that he shouldn’t open it, but people will click on phishing messages.”
But Valentine said phishing email victims are not necessarily “gullible. I think very smart and capable people fall for phishing attacks,” he said.
But when people receive a couple hundred emails in an eight-hour period or less, their level of scrutiny may decrease.
“In one case, the CFO happened to have lunch with the CEO and said, just out of curiosity, who was that merchant you had us expedite the wire transfer to?” Novak said, describing one example. “The CEO said, ‘What are you talking about?’ The blood drained out of the CFO’s face and he said he had to go. We’ve seen more than a dozen of those happen in the last week. Probably over $10 million has moved in the last week because of this.”
The recent spate of spear phishing attacks on financial services personnel demonstrates the increasing level of sophistication of identity thieves and the inevitability of individual and institutional compromise, said Adam Levin, co-founder and chairman of Identity Theft 911.
He says the “only intelligent way” to respond to such attacks is to design and implement more sophisticated security protocols.
“Companies should also step up training programs to help employees better spot potential fraud and to drill into them that under no circumstances should they provide any personal identifying information on any website or to any third party without corroboration from supervisors and/or trusted third parties,” Levin said. “As identity thieves count on moments of confusion or distraction, such as time pressures, no wire transfer or [automated clearing house] of any significant amount should be initiated without protocols requiring more than one authorization and a time frame longer than ‘right now.'”