Baby Boomers and Gen-Xers, you recall the early 2000s NBC game show Weakest Link, right? Millennials and Gen-Z, it’s worth a quick search on Google.
To recap: Contestants answered a series of questions that formed a chain. Each link in the chain resulted in more money being contributed to the prize pool. Participants broke the chain by answering a question incorrectly or opting to bank the money that was already in the chain. Meanwhile, acerbic British host Anne Robinson would demean contestants with a series of insults, including her famous dismissal, “You are the weakest link, goodbye.”
What’s this have to do with cybersecurity?
Like Robinson, cybercriminals have determined that you are the weakest link. Not you, specifically, but the collective you—a company’s technology end-user base. The big data breaches grab the headlines, but savvy hackers know the path of least resistance is through unsuspecting employees. They play on emotions and fears to illicit a quick response to a bogus email or phone call. And they know the best time of day and day of the week to strike.
If you think your company is immune to such attacks, think again. The Elliott Davis Cybersecurity practice constantly responds to incidents and data breaches at small- and medium-sized organizations. The strategy preferred by many of these perpetrators? Phishing. Even more specifically, spear phishing.
Simply put, spear phishing is a one-to-one phishing tactic. It can be used to steal data or implant malware. Most attempts come through email, but direct messaging on social media accounts and even text messages are vulnerable.
Spear Phishing Attacks: Three Varieties
Every company has its fair share of spear-phishing horror stories. Even Google and Facebook were duped out of $100 million by a savvy hacker impersonating a computer parts vendor.
At Elliott Davis, we’ve worked with many clients who have previously suffered the damaging consequences of this favorite cybercriminal pastime. Education is empowering. Here are three common spear-phishing schemes that are extremely effective, but avoidable, if you know what to look for:
Bogus invoice scheme. This is veritably the left jab, right cross of the cybercriminal world—simple but effective. The FBI estimates companies in the United States have lost more than $3 billion to business email comprise (BEC) scams that leverage fake invoices. A whopping 96 percent of medium- and large-sized companies have been subject to these attacks.
Here is how it works: a fraudster breaches the email account of an unsuspecting employee authorized (frequently in payroll or accounting) to make financial transactions for Company X and obtains a legitimate invoice. The hacker then proceeds to email invoices to Company X’s loyal clients and customers indicating it has new electronic wire information. When the invoices are paid, the money goes directly into the criminal’s account.
High-ranking executive scheme. Would you say “no” to your company’s CEO, CFO, CTO, or CMO? Or have the nerve to not return one of his or her emails? Exactly.
Cybercriminals prey upon the natural human tendency (whether it’s respect or fear) to respond and respond quickly up the chain of command. They’ll pose as a C-Suite executive, sending an email from a “cousin” domain similar to the company’s requesting (for example) a wire transfer or gift card purchase. And from there—well, you can likely guess how the story ends.
This strategy is so successful it evens works on (wait for it) high-ranking executives. At Pathé, a Dutch arm of a popular European movie cinema chain, crafty criminals made off with €19.2 million (more than $21 million) by sending sham emails requesting money transfers to the CEO and CFO through an account that appeared to belong to Pathé’s French parent company. When the cyber dust settled, the parent company fired both executives on the grounds that any “reasonable person would have known it was a scam.”
Internal email account compromise scheme. Peer-to-peer schemes can be just as effective, if not more, than top-down spear-phishing tactics because most people don’t want to let their fellow employees down. Cybercriminals “get it” when it comes to this bond, so they’ll deploy various tools and methods to steal a vulnerable employee’s username and password. From there, it’s game on: wire transfer requests, pleas for charitable donations—the works.
Tips For a Sound Defense
Solutions for spear phishing can take on a variety of forms. Most medium- to large-sized companies offer basic training such as seminars or videos for end users. Others take it a step further by engaging consultants that engineer spear-phishing simulations to educate users in real-time about the “clues” they should pick up on to recognize a scam.
Most of the time, however, the onus falls back on technological experts. Information technology (IT) pros can deploy multifactor authentication for all external email access (very powerful), tag external email for easy employee identification, and leverage general SPAM filtering technologies.
October is National Cybersecurity Month and the perfect time for everyone from the front lines to the executive suites to level-up their cyber defense, even if it simply involves being hyper-vigilant and unapologetically suspicious. And if you’re ever in doubt about a dubious email, don’t hesitate to consult your company’s IT department.
Follow these steps and you’ll avoid being the weakest link. Goodbye.
Brian Kirk is the practice lead for the Cybersecurity division of Elliott Davis. He can be reached at firstname.lastname@example.org