[BreachExchange] Businesses must teach their employees how to stop scams

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 13 17:58:44 EST 2017


http://opensources.info/whaling-and-other-phish-tales/

There are always bigger phish in the sea. And after a really successful
2016, this could be the year they will be circling our boats.

We’re talking about whaling, also known as CEO fraud, a new and very
successful high-stakes cyberscam that preys on a vulnerability every
business has, regardless of IT acumen or budget — human nature.

There are many variations of whaling, but here’s a common scenario: Jane, a
mid-level staffer in accounting, receives an email from the company CFO —
her boss’s boss. He directs her to provide him with a list of the Top 25
clients, including amount billed, name, address, phone number, and email
address. It’s urgent, as an unplanned partner’s meeting has been hastily
scheduled.

What does Jane do? Whalers know that most of the time, Jane will be pleased
that the CFO asked her to do this (or in a larger company, that he even
knew her name). Jane will most likely not want to appear confrontational or
difficult, so it’s unlikely she’ll go to her boss to check. And even less
likely to reach out to the CFO to confirm.

Jane does it. And, of course, the email is a scam: The email address, while
it appears real, is actually being redirected. And sensitive company and
client data is lost.

Another common technique is to set up an email domain that is similar to
the company you’re scamming. So if the CEO’s email is laura at mycompany.com,
the scammer would create an account for laura at mycornpany.com. The
substitution of two letters is likely to go unnoticed and appear real.

How big a bite is whaling taking? The FBI reported in April 2016 that U.S.
companies lost $2.3 billion from October 2013 through February 2016. During
that time, there were 17,642 victims. In one year, the FBI reported a 270
percent increase in whaling reports.There are several reasons why whaling
works: It’s personal in nature, the requests are often normal business
functions such as processing an invoice, making a wire transfer, or
producing a client report, and the language is customized to the receiver
and the message. There is no boilerplate: “Hi. I thought you’d find this
interesting” that we have been trained to be suspicious of.

The whaler’s emails may even ask how your weekend was or if you enjoyed the
holiday. And they will always be personalized to the receiver.

Software developers and cybersecurity specialists are working on tools to
help harpoon whaling efforts before they reach Jane, but there’s a problem.
Quarantining emails that use terms like W-2, or wire transfer, will trap a
lot of minnows in very large net.

As with most cybersecurity, a three-pronged defense is required. Hardware
and software working together to screen email for common risk elements and
quarantine those with a high number are two important elements, but they
will fail ultimately without the third: humanware.

Here are three things employees should be trained to know and to do. The
most vulnerable to whaling are those in accounting and finance departments,
but phishing attacks, which often end with ransomware demands, can start
with any chink in the armor, at any level of your company.

Identify where an email really comes from. Whaling emails are successful
because people really overlook the header. A quick glance at the “To” field
shows the name Laura Haight, which they know, so they continue on.
Employees need to know how to identify the actual email address, and be
trained to really look at it. Our minds often see what they expect to see,
which is why a simple substitution of a letter or two will go unnoticed in
a false-flag email address (also why we can’t catch typos).
Be skeptical, get confirmation. Whalers know that we avoid personal
contact, preferring a quick email to a phone call. We are also most likely
to email the sender back by hitting “Reply.” That email will go directly
back to the whaler. Instead, employees should be trained to ask for
confirmation by creating a new email and using the executive’s email in the
company email address book.
Follow procedures. Internal controls exist to protect you from yourself, as
well as from an embezzler or scammer. If a transfer over a certain amount
requires another signature, or a form, insist on getting it. If you get in
trouble for following a business rule, you need a new job.

Employees are every company’s most important line of defense. Few probably
feel that way. But when an employee does the right thing, companies need a
mechanism to thank or reward them. That will help build a culture that
encourages everyone to do the right thing.

Technology tools are definitely an asset. But no system will detect every
bad email. Eventually one will get through — and one is all it takes. Only
an empowered and trained employee can protect you from that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170213/625263db/attachment.html>


More information about the BreachExchange mailing list