Spear Phishing: A New Take On An Old Classic

We recently met with a local company here near Portland, ME who was suspicious their email had been exploited. The finance manager had received an email from the President requesting a wire transfer to be made in order to pay an invoice, totaling upwards of $20,000.

While the timing was a little unexpected, the request wasn't far from business as usual.

The email looked real to her and, at first glance, it was very difficult to identify that it was not from him. Fortunately, in this case, the attack failed simply because she did not have banking authority to make the transfer and therefore an internal conversation ensued.

With a little digging, we found it was a classic phishing scheme by an outside attacker. This time looking to lure an unsuspecting employee into doing something for their manager.

With just a little research on a company's website, there's often enough detail to impersonate real personnel and generate seemingly meaningful dialogue.

Names, titles, and emails are often presented publicly on company websites, marketing materials, press releases and more. This makes it relatively easy for a bad actor to craft a legitimate looking email with real facts and details.

Attackers commonly spoof (i.e. impersonate) emails to make them look like they are coming directly from the real source, often making it pretty difficult to identify. In this case, the attacker even followed up with another email hours later asking if the transfer was complete.

Be careful! There are actual humans on the other side who will carry on a conversation until they get shut down, or even worse, what they want.

There has been a dramatic increase lately in these one-to-one phishing scenarios, something now commonly known as Spear Phishing. These kinds of communications often include requests that vary from asking for a wire transfer to HR requesting W2 or drivers license information from employees. And they're often sent with a sense of urgency because the bad guys want to get in and out as fast as they can.

Identifying these types of emails takes training and skill that all employees in a business need to learn. If an employee clicks a link or downloads a document, they put your business at risk of potentially bringing malware into the network.

It's critical your cybersecurity program focuses on developing a CyberSmart culture. One where everyone knows to clarify and verify before launching a link or attachment.

Be sure to have all team members trained on requesting verification from the sender when sensitive or confidential looking items are being requested. Teach them to ask themselves “Am I expecting this email?” and what to do if the answer is "No." 

Remember: Cybersecurity isn't a project, it's a posture.

Stay Safe,
Your Friends @ Launch Security