One of the most popular – and costly – cyber security threats that businesses are facing today are spear phishing attacks. If you are a C-level executive, then you’ve likely seen them: fake emails that impersonate one of the execs in your company, asking you to send money.
How executive impersonation works
Also known as spoofed emails, these emails look just like an authentic email (with your company logo and email signature), and even a real-looking display name, but it’s really from someone else.
What most people don’t realize, is that these emails are done without any hacking at all. The impersonators are getting the information by simply browsing the Internet to gather the necessary information they need. It’s easy for them to mine publicly accessible social media networks liked LinkedIn to find out all they need to know about you, your co-workers and the executives in your business. Then, the bad guys simply setup a fake email account that looks legit.
If you haven’t seen these emails yet, here’s what happens. Your book keeper, VP of accounting or CFO (someone in charge of or has access to corporate funds) receives an email (or a series of emails) from “the CEO” stating that he/she is opening an account with a new vendor in the supply chain, and they need money transferred as a deposit. This new supposed vendor is overseas (making the activity and account hard to trace), and the impersonator requests that the recipient wire the money by the next day – as in most good sales pitches, there is a call to action with a deadline.
The unsuspecting financial person then wires money without even verifying the request because they believe the request came from their top exec; by the time they realize they’ve been duped, the money is gone.
The more sophisticated criminals take their time and lead people on with a series of emails that set up the crime by talking about the upcoming business deal, sharing information about the overseas transaction, and alerting the recipient that as soon as the deal is signed, the money will be needed right away. It’s a nefarious scheme and many people across the country are being set up for the big cyber sting.
Another version of this spear phising attack comes when the bad guys pose as IRS agents, payroll or insurance auditors, and ask your HR person to send W-2 forms. This problem became very noticeable during the 2016 tax season, and it enabled the bad guys to file fake tax returns and steal identities (read about it here.)
How you can protect your business
There are two things you can do to protect your organization from malicious executive impersonation emails.
- Talk to your IT services partner about the counter measures that are available that will greatly reduce the number of malicious emails that you get. Remember, these emails usually don’t look like or act like spam so anti-spam software won’t pick these up.
- Implement a training program that teaches your employees from the top down to recognize and avoid these spoofs. Your users are the weakest link in this cyber fraud scheme and they should be trained on what to be aware of regarding any incoming emails—from what they look like to what they say.
- Require that all wire transfer requests are confirmed outside of email. A good rule of thumb for everybody in your organization is to trust but verify. If anyone does receive a suspicious email that asks them to do something (such as send money), verify this by phone or in person (not by email) with a call to the actual person, your IT department or your IT service partner.
At IND Corporation, we offer employee training around phishing and spoofing scams that help to greatly reduce corporate risk against malicious emails that install viruses, ransomware, and steal funds and identities. After the initial training, we send fake emails to your users that looks just like the ones that real criminals are sending. If the recipient clicks on those messages, the system will automatically pop up a warning and send that user to more training videos to show them what they’ve done wrong. This reduces the rate of taking the click bait from as high as 20% of the time to as low as 2% thanks to continual training.
Want to ward off executive impersonation and beef up your cyber security? Contact us to discuss your business computing and managed IT service needs. We’re located in northern New Jersey and serve companies throughout the state.