Phishing and Spear-Phishing – If it didn’t work, they wouldn’t keep doing it …
Phishing isn’t really a new threat – it’s something that has existed in many forms since the very beginnings of commercial availability of e-mail. By all rights, it’s truly just an extension of social engineering – pretending to be someone or something that you’re not in order to gain unauthorized access to information or credentials or to thieve money or other currency. Considering that these types of attacks and these concepts have been prevalent for so long, why is it that threat actors continue to use them? What can be done to limit the efficacy of this type of attack?
Phishing Trend for 2019: CEO Impersonation
As mentioned, phishing attacks share much common ground with the typical social engineering attack. Let’s look at one of the most common types of low-effort attacks that were seen in very high numbers at the end of 2018 and the beginning of 2019: the “CEO Impersonation” style of phishing attack.
What is it?
In this case, a threat actor will target an employee (or group of employees) at an organization with an e-mail containing an “urgent request,” pretending to be a high level employee of the company and explaining that they are presently in a meeting, can’t return a phone call, and that they need the employee to either process a wire transfer or purchase gift cards as some kind of incentive or reward, and then provide all of the information about that purchase back to the threat actor. They will also generally ask that the employee not tell their coworkers about the request, as “it’s a surprise.”
Why does it work?
This is a common type of attack and, unfortunately, one that is fairly successful. The reason for their success comes down to three key points:
- The threat actor is impersonating a person in a position of high authority over the employee that they’ve targeted with the request. Employees could feel pressured to complete the request without realizing that what is being asked may be in violation of company policy or financial policy.
- The threat actor is creating a false sense of urgency in an effort to ensure that the recipient replies and reacts quickly, minimizing the available time for the targeted employee to realize that the request did not come from a legitimate party.
- The threat actor generally asks for a form of un-trackable, non-refundable currency or a one-way transfer of funds outside of company policy and explains the request as though they are going to give a “surprise award” to an employee. Depending on the company, the giving of gift cards to employees may be more or less common and may lend an additional sense of undue authenticity to the request.
When broken down to its elements, this type of attack truly boils down to someone pretending to be someone else and asking for something that they have no right for – and since we generally don’t allow ourselves to be taken by these types of scams in person, why is it that people will fall for them via e-mail?
The answer really is simple – the threat actor is attempting to create a sense of urgency and responsibility in the recipient by impersonating a high-level employee and expressing an immediate need. When the threat actor pretends that the gift cards are a surprise for another employee, they can be playing off of an inherent desire that an employee could have to be a part of another employee’s surprise. The psychology of why this type of phishing scam works is actually fairly detailed. Ultimately, the reason CEO Impersonation scams are so successful is that employees haven’t been trained about these types of attacks and have missed the warning signs.
Protect your company from phishing attacks
Take a closer look
These e-mails don’t come from high-effort spoofs – they generally don’t even fake the same domain as the person they’re targeting. While they might have the first and last names of the people they’re impersonating, they don’t go so far as to even have impersonated signatures. They generally come from throwaway domains like “CEOmail.net” or “SecureCEOServer.com.” A critical look at the e-mail or its headers would be a clear indication that the request was not legitimate. But, because of our impulsivity and desire to help, we often simply don’t take the time. That’s why this strategy remains one of the most popular (and unfortunately, one of the most successful) types of phishing attacks.
Train your employees
The most successful way to mitigate the threat of these attacks in your environment is to complete proactive security awareness training that includes targeted phishing testing. If you’re not doing this today, I strongly recommended that you make a plan to implement targeted training and testing. Additionally, it’s beneficial that your employees are aware of financial policy at your company. Make sure they know that no employee will ever e-mail them and ask them to violate company policy, even as an “urgent request.” Once you’ve effectively communicated that no one (not even the CEO) is above the policy and encouraged them to take the time to verify sender details, it strips away the false sense of urgency and allows them to more critically approach the request.
Like I said at the beginning, if these types of attacks didn’t work, threat actors wouldn’t spend the time or money to send thousands upon thousands of them out. With a little diligence and training, you can ensure that your users do not fall victim to these types of phishing attacks and you can enhance your protection over your financial assets and other credentials.
If you’re interested in implementing a security awareness and training regiment, phishing exercises, or similar, contact us. We can help you ensure these types of attacks against your users are unsuccessful.