Cyberthieves today know that it’s better to be sneaky and crafty than forceful. To be even more blunt, they know that it’s better to trick you into doing their work than to break in and do it themselves.
That trickery starts with ever-more-subtle ways to get you to click on an email attachment. A recent attack used an employee accomplice who was to flag any meetings with multiple people and note who was presenting. Within 30 minutes of one meeting’s end, the crooks sent an email attachment to everyone on the original email thread, with fake headers so that it appeared to be from the presenter. The email said, “Sorry, everyone. Here is the updated version of the slides from our 2 PM meeting.” Even an especially security-conscious person could get pulled into clicking on that one.
But a lot of attacks go beyond email scams to include efforts to get employees to do high-risk activities — such as wiring corporate funds — instead of merely opening an attachment.
I recently spoke with Mark Fidel, who is co-founder and head of corporate development of New Mexico-based security firm RiskSense and someone who is a strict believer in rigid separation of security and financial duties as a breach-avoidance tactic. He pointed to a recent incident at his firm, where an attacker who had done his homework tried to trick the company’s CFO into making an unauthorized transfer of $20,000 to a bank account in Georgia. It would have worked, too, Fidel said, had not the politeness of the email raised his suspicions.
The email, supposedly from the CEO, ended, “Kindly email me back with a confirmation.” Said Fidel candidly: “Our CEO would never have said ‘kindly.’”
“Our CFO sent it to our office manager/bookkeeper. She can initiate, but I have to complete it,” Fidel said. “I read the email and said, ‘This has to be a scam, just knowing the CEO.’ If the CFO had authorization and capability, that is the bad guy’s success right there.”
Fidel was impressed, though, with how close the attacker came and how well planned the attack was. That CFO was a contracted officer and was not even listed on the company’s website. “The only place he’s listed is on LinkedIn. That’s where they probably pulled it. They correctly guessed the email format and they spoofed the right address. It was a pretty good effort.”
But Fidel’s defense was not based in his knowing his attacker’s tactics well. It was based on his knowing his colleagues well. He was sensitive to nuanced phrasing and other small details that flagged a potential imposter.
How often do you get an email or text from someone and have the sense that it doesn’t sound like him or her? If it’s an FYI update, fine. But what if it’s a request to forward a sensitive document or to take a specific action? Would you do it without checking? What if the message created a sense of urgency, perhaps saying, “I need this right away. The client meeting starts in five minutes. Stop everything and do it now!”
Welcome to the fraudster world. This gets even worse. Some people may not interact with senior management often enough to be able to detect a reasonably good fake. Indeed, the good thief will explicitly target people who won’t be able to detect a replica.
It may be true that one can have excessive security, but one can never have excessive paranoia and suspicions. Few bosses will get upset if you challenge their identities. Indeed, they should thank you.