Is there an Impostor in your Email? Understanding Phishing and Preventing a Breach — What Executives Need to Know
By: Dan Maier, Vice President of Marketing Cyren
In our digital age, where financial transactions are easily conducted online via email and mobile devices, we need to be wary of dangerous scenarios that can wreak havoc on our business in a matter of moments. The ability to digitally send and receive invoices, settle accounts, access credit cards, review banking accounts and more is no longer novel. In fact, it’s expected – both at home and in the workplace. Email and the internet have given us the tools to always
be on, always connected and hyper-responsive. If an executive or CEO sends a request to an employee via email, employees are typically quick to respond and take action – and, when they do, they are considered conscientious. Email is how work gets done – and we all want to move the speed of the internet, right?
Hackers are taking advantage of this real-
time and responsive attitude to trick financial personnel into transferring funds or disclosing financial data. When it comes to impostor email,
a relatively new and insidious form of email phishing, that is exactly the problem. The ubiquity of working online means that our defenses
have gone down – while the sophistication of cybercrime has gone up. Way up. And the speed of these attacks is what makes them most effective. According to a 2017 report issued by Aberdeen, phishing attackers hook 100% of their victims within the first 24 hours.
For executives and managers in financial roles, the job is that much more difficult – because employees and contractors are specifically targeted, and your teams are typically distributed. In fact, your team may be targeted right now.
But there are steps that can be taken today to help reduce your risk – and it starts with understanding the challenge.
Fundamentals of Phishing
Phishing is not new. In fact, the term was coined 21 years ago and it’s now coming of age right alongside the youngest millennials, meaning some of your employees have grown up in the era of phishing. In the dictionary, phishing is defined as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal
information, such as passwords and credit card numbers.” While this premise has remained essentially the same over the years, the technology and tactics have evolved greatly.
Traditional phishing practices, which got their start in the mid-1990s, employed “spray and pray” tactics, with attacks that attempted to steal passwords, credentials or other sensitive files
or data. Nigerian fee fraud is a classic example
– whereby a large inheritance can only be collected if the recipient can wire a smaller sum of money. These “blasts” were historically wide and untargeted. And yet, while the lucky hits for fraudsters were infrequent, the tactic was cheap and easy, and payoff happened just enough to make the practice financially rewarding for the perpetrators. These tactics obviously continue today, but the success rate is far, far lower.
In the early 2000s, many phishers began to focus on online payment systems. Phishers took the bold step of creating “spoofed” websites that looked like legitimate eBay and PayPal websites (and later, Google Drive and Dropbox). Their goal was to steal log-in credentials – which could
be used to clean out financial accounts or steal account credentials for use in other phishing campaigns. As this approach became less and less effective, cybercriminals “enhanced” their technology and planned for large-scale attacks, incorporating malware – or “malicious software” – as the second stage of attack. Embedded in an attached document or website link, clicking on either would launch the malware on the user’s computer or device to collect their keystrokes and credentials.
This constant innovation has led to a new phishing attack that is strikingly effective because it is simple and sophisticated – and hard to detect. Impostor email attacks, also known as Business Email Compromise (BEC) or CEO Fraud attacks, are highly targeted, as perpetrators work to engage with employees in or around finance departments or financially related roles. Employees like yours.
24
©2018 Credit Research Foundation