Cyber-Attacks Get Personal

CyberCyber-gangs just keep getting craftier. A few years ago, all-purpose phishing attacks morphed into more targeted spear-phishing assaults.

Now, however, they’ve evolved (or perhaps devolved?) into impersonation attacks, which are sometimes called “whaling” because they attempt to harpoon the big fish in the enterprise. These spoofed messages—which typically involve a wire transfer or data loss (such as employee Social Security numbers and other personal data)—are typically directed at CEOs, CFOs and HR executives.

Impersonation attacks are disturbingly effective. According to a just released FBI alert, the losses to businesses from email scams totaled more than $2.3 billion from October 2013 to February 2016. Overall, there has been a 270 percent increase in victims and losses since January 2015.

The list of companies hit by these attacks reads like a Who’s Who of the business world: Mattel, MedStar Health, Seagate, Snapchat, Sprouts Farmers Markets and Weight Watchers International, to name a few. In fact, Mattel came perilously close to losing $3 million, according to news reports. The company had wired the sum to a bank in China and then discovered the request was fraudulent. It was saved only by the fact that it was a bank holiday in that country, and, as a result, it could cancel the transfer.

Impersonation emails can be tricky to spot. Increasingly, thieves mine social media and public sources—including sites such as LinkedIn—to gain details about executives. In some cases, they also may be lurking in IT systems and mining details they can use for attacks.

All of this helps cyber-criminals include details that appear very real. When the message is combined with a message that closely matches the real domain, there’s often an imperceptible difference between fake and real emails.

Safeguards Are Lacking in Many Companies 

Yet, the problems run far deeper. Many organizations lack critical safeguards and controls for wire transfers. Frequently, there’s no requirement for a second signature. What’s more, many companies lack monitoring and gateway analysis tools that would flag these spoofed messages for closer review.

Amid all the chaos, one thing is clear: Organizations must get smarter and better at dealing with sophisticated social engineering assaults. Email is the attack vector for 74 percent of targeted attacks against the enterprise.

For now, the FBI suggests that organizations view urgent requests for wire transfers suspiciously and have employees pick up the phone to verify requests with business partners. In addition, enterprises should introduce multilevel authentication and approvals. Security experts also advise that it’s wise to run simulations inside an organization to help raise awareness and spot weak points.

Tom Landesman, security researcher at Cloudmark, adds that “Employees can play a key role in helping detect and reduce the impact of targeted spear-phishing attacks and business compromise emails. The ‘human factor’ can be surprisingly effective in detecting threats.”