It’s an all-too-common story: A low- or mid-level functionary in a company gets an email from the CEO instructing them to make a wire transfer from the company account. Not long afterwards, it is discovered that the email was a fake and funds are missing.
This is a simple yet surprisingly effective example of a Business Email Compromise strategy, a highly targeted form of phishing. It uses social engineering tactics to learn enough about a specific employee to trick them into allowing access to, or turning over valuable information or resources.
Phishing incidents like the one above are incredibly commonplace, accounting for an average financial loss of $1.6 million per breach, reports Infosecurity Magazine. Some attacks can cost upwards of $10 million.
Cybersecurity's Weakest Link
According to Info Security Magazine, as much as 91% of companies surveyed have experienced a phishing attack. The overwhelming majority of cyberattacks start with a fake email. No matter how secure your company's defense may be, humans are the weakest link in your security chain. Phishing takes a variety of forms:
Deceptive Phishing—Receiving a message that appears to be from a genuine, trusted source, asking for personal information or log-in credentials.
Spear Phishing—Using personal information about the receiver to make their fake email more convincing.
CEO Fraud—The above-described scenario when a phisher impersonates a company executive.
Pharming—When phishers ask for sensitive information using an imposter website domain name.
Dropbox Phishing—Scams that ask users to validate accounts or download shared documents from what appear to trusted sources on Dropbox
Google Docs Phishing—A sophisticated trap that uses a fake page loaded on Google Drive to fool victims into downloading malware.
One of the most effective ways to mitigate risk is to train employees. Teach them to be on the lookout for suspicious behavior. Other tips on how not to get hooked include:
Double Check—Cyber criminals impersonating your CEO use that person's authority to intimidate lower-level employees. Instruct employees to double-check suspicious requests by phone. Remind them that the boss will be more upset by a several million-dollar loss than by a few extra phone calls.
Use Two-Factor Authentication—Two-factor authentication forces employees and executives to use secret information to prove their identity.
Minimize Trusted Connections—Whenever you have a trusted connection between two devices or individuals, ask why that connection is trustworthy and what would happen if one part is compromised.
Planning For Damage Control
Even with these security measures, it’s critical to remember that people make mistakes. Anti-spam and antivirus technology can be an effective perimeter defense against some forms of spear phishing; but reliable security requires you to take a holistic view of what happens in, out and across your network environment.
To this end, we recommend the approach offered by our cybersecurity technology partner, Fortinet, which involves implementing a tightly woven fabric of security to improve the interoperability of multiple technologies, and enables all to be managed from a common interface. Read more about our approach to security.