The most typical spoofed phishing emails we are currently seeing is an attacker impersonating an executive/CEO asking someone in accounts to perform a wire transfer or alternatively requesting they open a web link attachment. An example of an email could look like this:
From: Rudy Bosive (CEO) <firstname.lastname@example.org>
To: Claire Amtir (Senior Accounts) <claire@@bankofengland.com >
Subject: Can you make this wire transfer for me?
We just closed on an acquisition of a new service but we’re trying to keep it quiet. Could you wire over £50,000 to them? The account number is below and we need to get this taken care of urgently today.
Sent from Outlook for iPhone
Although spoofing has been around for some time, its evolution and prevalence has become wide spread since the introduction of cloud hosted company email. As with all email security it can be employed to assist in the prevention of this but no security is effective enough to resolve 100% of the problem. Due to this companies and their employees need to work with their associated IT departments or third party professionals in the education of email security.
It is important to understand that traditional security doesn’t stop these attacks because they are so cleverly customised, as a result they’re becoming more difficult to detect. An employee mistake can have severe consequences for the company. With stolen data, fraudsters can reveal sensitive information, cause reputational damage and financial loss. In addition, spear phishing attacks can deploy malware to hijack computers, organising them into enormous networks called botnets that can be used for denial of service attacks.
The human element is incredibly important and as such many companies now are adopting employee phishing testing programs or implementing additional safe guards to combat this. One suggestion is the use of secondary authentication for money transfer requests, such as an authorising password or follow-up telephone call on a requesting email. An additional suggestion is NEVER reply to the email; examples have shown that attackers will correspond with their target to facilitate the belief that the original email is genuine.
Remember… the people perpetrating these frauds frequently research employees’ responsibilities so they know who to target, and often gather information to try to make the wire transfer request as believable as possible. For example, they may research the executive’s schedule using public information or by making inquiries of the executive’s assistant with the goal of sending the fraudulent emails when the executive is out of town and cannot be easily reached for verification.
A recent commissioned survey of 1000 office workers showed the scale of phishing in the UK revealing the following results:
- 27% of office workers do not know what phishing is
- Nearly 60% of office workers receive phishing emails at work every single day, and 6% receive more than 10 phishing emails every day
- More than one in five people admit to having been tricked by a phishing email into clicking a link or opening an attachment
- 78% of those surveyed think they have never fallen for a phishing email
- 29% do not report suspicious emails to their IT department
- 49% are more worried about being phished at home that at work