Phishing cybercriminals are still out there… but now they are customizing the attacks!
Be on the lookout for customized Phishing emails! Cybercriminals have been taking the time to research your organization and craft customized emails to impersonate specific people to trick you into sending them money, credentials or identity information. These are called Spear Phishing emails, because they have a much more specific target: you.
These attacks are being directed to companies of all sizes and even individuals. The fraudulent email may claim to come from a colleague, a relative or a friend.
REMEMBER, the email system is NOT safe. You should never send sensitive or personal data to anyone. Even if the email request is actually from your boss, never send such information through an email.
A poster about CEO Fraud (Spear Phishing)
What is Phishing?
A primer on general Phishing
Most companies will be well served to have a policy that no money above a small amount and no personal information should be transferred based on an email request.
Standard Phishing emails are usually broadly sent to every email address the attacker has, trying to trick the recipient with generic solicitations.
Spear Phishing attacks are targeted to specific people based on their roles at the company. It would probably take very little research on your website to determine which person(s) at your company has access to wiring money, and which person(s) has the authority to request the funds transfer.
I’m tied up in a meeting, so I can’t do this myself right now, but I need you to pay this attached time-sensitive invoice to cover some contract costs. My phone is off, so please confirm by email.
I’m between flights and my wallet was stolen. I need you to send me some money. Can you run out to the store and purchase Amazon gift cards and email me the scratch off numbers on the back? They got my phone, too, so don’t bother calling.
Shelly (VP of operations)
I need a PDF copy of ALL employee W-2s for the IRS ASAP!
George (Executive Director)
These emails are personal. They address you by name, and reference information only the purported sender would know, right? Like the fact that they are traveling now, or that you sometimes wire money to accounts, or that you have access to W-2s? But think about how much of that information may be available (or intuited) on your website, or by googling conferences that your organization belongs to.
Note the attempts to dissuade you from using the phone. Cybercriminals can’t re-direct your phone calls to themselves like they can with the emails. Confirming such requests by phone is a safe way to determine their validity.
But the email came from Julie’s email address
It is easy to spoof email addresses. Email in general was never designed to be that secure. Would you respond to such a request if it came in an envelope by the US Postal Service?
Note: it is also possible that Julie’s account *was* hacked, and that the email was not spoofed. Your response should probably be the same either way: confirm by phone before sending money or sensitive information.
But if I reply to the email, it will go to Julie, right?
No. If the email is spoofed correctly, then even though it looks like Julie’s address, it actually came from (and replies will be sent to) a fraudulent email address.
I’m too busy to check each and every email
Nobody is too busy to protect the data and finances that have been entrusted to them by the company that provides their paycheck. Security must be a fundamental part of everyone’s job description.
Why are they doing this?
Because it works. It costs them very little time to send out many customized emails. The return on their investment (when someone is not careful) is tremendous.
The email must be legitimate. How would a cyber criminal have known that James was flying somewhere?
a) Googling James may show that he does a lot of business in different States or countries, and therefore travels a lot.
b) Your website may post a calendar of events, showing your company’s attendance or hosting.
c) Or they may just be guessing.
What if James is really in trouble and lost his phone and wallet?
Call him despite the message’s dissuasion. If the email is fraudulent, then he should have his phone and he can pick up and expose the fraud. Discuss this eventuality now to come up with a policy to handle such a situation. Perhaps you could come up with a code word that James will include in any type of distress situation to prove his identity.
I know this email is a fake. What should I do with it?
The answer to this should be based on your company’s policy. The simplest answer is to ignore and delete it. A safer answer (for all employees), is to send a separate email to all employees stating that you received an email purportedly from Shelly, asking for money. This puts everyone on alert that such an email may be going around. Please do NOT forward the fraudulent email to your colleagues. You CAN forward the email to HDF, if you want to make us aware of it (if so, please add something to the subject line like “I think this is a Fraud”).
Ooops! I already replied to it.
As long as you just replied with a text message, and did not include any information of value, then you are still safe. The cybercriminal will probably follow up with several emails to get you to respond again (since you already have). When they do so, please just ignore and delete them (or send a separate email to all of your colleagues as outlined above).
George gets angry if I don’t respond to his emails immediately
If that sets George off, think about how angry he’ll be if you send personal identity information or money to a cybercriminal. George will respect you for confirming the request by telephone first.
If you have questions about this, please let us know and we will be happy to assist you.