Phishing scams, or fraudulent emails used to acquire banking and personal information, are getting more sophisticated. General emails blasted to thousands of email addresses by a Nigerian Prince wanting to share $10,000,000 with you are still out there on the web, however other schemes are hitting closer to businesses.
Spear Phishing is a type fraudulent email that is directed towards a company and its employees. The scammers take great care in doing their research on the company organization and its employees. Think for a moment. Most companies allow, and in fact encourage, employees to create social media accounts to promote business and branding opportunities. Would a search of LinkedIn or your webpage provide information on your employees, your company, and institutional knowledge of management and operations? This type of information is extremely valuable in a Spear Phishing attack of your company. “Whaling” occurs when the target of the Phishing attack are employees at the executive level.
Eide Bailly LLP computer forensics have been engaged to trace several of these Spear Phish attacks where hundreds of thousands of dollars have been lost by companies and banks. Here is how some of the more recent schemes are performed.
Typically, someone working in a company’s finance department receives an email that appears to be from a high level executive of the company. The email signature is correct, the format and font are the same as the companies. The appropriate logos are also present. The email, usually proclaiming some urgency in paying an overdue invoice, or a need to transfer funds, directs the lower level employee to transfer a fixed amount of money via wire or bank transfer to a routing and account number provided by the Phishing email. The employee, believing the email is legitimate, performs the money transfer and replies back to the email that funds were sent.
The problem is the email never came from the company executive. Close inspection of the email address revealed a single character difference. As an example, eidebailly.com becomes eidebaily.com. The funds are now gone, and the likelihood of a Federal criminal investigation into the theft are minimal unless substantial funds are lost. That is why the Phishing scheme typically deals with amounts of money that would not normally raise concerns to the email recipient in payroll or finance.
Companies should review policies dealing with ordinary, and out of the norm, requests for the wire transfer of funds. Policies should include independent verification with the source of the request, either by company phone line or by initiating an email using the company directory email address. A reply to the original email would only go to the Phishing suspect.