We’ve all seen those emails. You know, the ones that inform you of the contest you just won—which you never entered—and the ease in which you can claim your prize. Just send us your name, age, race, sex, social security number, hair color, and birth location and the prize is yours. As ridiculous as this seems now, there was a time when millions of internet users fell for these tricks. While people have wizened up to these obvious phishing email scams, hackers have raised the bar of deception and are finding new ways to bait their victims.
The threat has now advanced to spoofing email accounts of top company officials, sending emails with enough unique details and a sense of urgency to make the content plausible. For example, a financial executive with Mattel was recently scammed into sending $3 million to Chinese hackers. The email requesting the immediate large vendor payment appeared to be from the newly-appointed CEO, and with Mattel’s required two executive approval process for transferring funds, the unnamed financial executive felt confident she was following the right procedures for sending the money. Only when discussing the transaction later with the CEO did it become clear the request was a scam.
Hackers are becoming progressively successful at manipulating their targets through advanced research into company culture, social media and PR campaigns, and public websites to make the language used more convincing. Doing so allows them to target the exact employees responsible for managing payroll or company finances and rely on the time-sensitive requests from their executives’ spoofed email to force those employees into overlooking proper security measures or double checking the requests.
These methods have duped employees at Snapchat, Grand Ole Opry parent company Ryman Hospitality Properties, and Proskauer Rose law firm just to name a few. In fact, these types of business email compromise scams, or BECs, are on the rise. According to the Phoenix Division of the Federal Bureau of Investigation (FBI), the FBI has seen a 270% increase in the number of victims since January 2015 to the tune of $2.3 billion in losses. From large corporations to small nonprofit organizations, all business types have reported victims.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.” —FBI
The best defense against phishing scams is employee education—both on your cybersecurity policies and ways to identify phishing scams. Here are some examples of what employees should look for:
- Email messages that seem to be from a legitimate source, but that ask them to enter, verify, or change their password.
- Email messages that request they click on a link that directs them to provide any sensitive information.
- Social media communications, even from a colleague, that urges them to check out “this cool link.”
- Messages with an urgent request for information or verification of sensitive business data.
Encourage your workforce to question any suspicious communication they receive. Sending a new email to the supposed requester or picking up the phone to verify its authenticity takes little time but can save your company millions of dollars. In fact, many companies are now actively phishing their own employees as a means of both testing their cybersecurity defenses and training employees. That way, a culture of preparedness can be built and maintained without jeopardizing actual assets.