Focus on what counts
Insights

Plenty of Phish In the C-Suite: Email Attacks Are Everywhere

October 23, 2018

Kevin Ricci, CISA, MCSE, CRISC, QSA

view all archive

Those poor, overworked, cybercriminals of yesteryear had it so much tougher than today’s generation! To be successful at their sinister occupation, cybercriminals used to spend long days and nights in their shadowy lairs, slowly hacking their way through firewalls and intrusion detection systems. to steal our data. Somewhere along the line, however, some particularly evil (but admittedly efficient) cybercriminal had an epiphany: why not trick the victims into doing the heavy lifting in order to make the theft that much easier? Before long, the insidious plan began paying tremendous dividends: a huge uptick in stolen data and clandestine network access with just a fraction of the effort required by their criminal predecessors. An added benefit of this new approach was a vastly improved work-life balance, allowing the evildoers more time to unwind and relax after a long week of ruining lives.

When Cybercriminals trick victims into compromising their own data, it is a type of social engineering. One of the more popular varieties of social engineering is known as ‘spear phishing’, which involves crimi¬nals sending email that appears to originate from a trusted source - the CEO, our bank, or a member of our IT Department. Within this email is a request from the sender to open an attachment, click a link, or provide sensitive information. Once we take the bait, and do the sender’s bidding, that’s where the fun begins. It is estimated that over 90% of data breaches can be attributed to spear phishing attacks, which suggests that this successful, albeit nefarious, tactic isn’t going away any time soon.

Here are just a few examples of the consequences of a spear phishing attack:

  • Ransomware Nightmare: Spear phishing emails appear to come from some¬one we trust, thus we are more willing to click a link, or open that attached PDF or Word document, without much hesitation. Our seemingly benign act can trigger a malware payload to be deployed – a virus’ version of a ‘wild night on the town’. One of the more prevalent types of malware is ransomware, which encrypts (i.e. locks) the recipient’s computer and anything it is attached to, such as the company’s file server. The encrypted data is virtually unbreakable, rendering files permanently inaccessible. To regain access to your files, you’ll either need to erase everything and try to restore from backups, or pay the attackers a sizable ransom - typically several thousands of dollars of Bitcoin.
  • Gone Whaling: Victims of a spear phishing attack, particularly those in Finance, can be tricked into making a wire transfer, or turning over sensitive information, such as the company’s W‐2 tax data (ripe with sensitive in-formation). A subtype of spear phishing attack, known as “whaling”, involves the CFO (or some other high rank¬ing member of Finance) receiving a request from a cybercriminal posing as the CEO. The email asks the CFO to send data, or complete a wire trans¬fer, to a company that is actually a front set up by the attacker. This type of attack has racked up billions of dollars from victims from across the world, and doesn’t appear to be slowing down any time soon.
  • Identity Crisis: Cybercriminals use spear phishing campaigns to obtain our login credentials. Posing as our IT consultant, the criminals request that we change our passwords by entering our current and new passwords into a website that appears legitimate. Once we’ve been tricked into volunteering our user name and password, the attack¬er can then remotely gain access to sensitive information stored in our cloud applications or network resources. Making matters worse, our compromised email ac¬counts can also be utilized by the attacker to wage a new round of attacks on our contacts.

So how do we avoid becoming the next data security headline, joining the ever‐increasing ranks of victims that have fallen prey to a spear phishing attack? Here are some helpful best practices.

Email best practices

Email best practices include tightening email and web filters, geo-blocking high-risk countries that you aren’t doing business with, keeping applications and systems patched, ensuring antivirus definitions are constantly updated, and monitoring firewalls, logs, and intrusion detection systems for suspicious activity are just some of the ways you can reduce your chances of becoming a spear phishing vistim. However, since even the best security solutions in the world won’t defend against every well‐designed spear phishing attack, it is imperative that education also be part of every company’s cybersecurity strategy.

Training your staff

Since spear phishing attacks prey on unsuspecting recipients, who are unaware of a potential threat, education can increase your staff’s ability to identify attacks - transforming your users from being the weakest link in the security chain into a virtual human firewall. One key concept that needs to be reinforced in the training is that, users should be instructed to consider the legitimacy of any email requesting sensitive information, or asking them to click a link or open a file. If the user is not absolutely certain that the request is legitimate, they need to contact the sender by phone or via a separate email chain for confirmation. A good strategy to reduce the likelihood of users being tricked into falling prey to a spear phishing attack, is to periodically conduct a simulated spear phishing attack to identify users that may require additional awareness training.

In terms of frequency, every user should receive cybersecurity training at least once a year. In addition to a mandatory annual training, every new hire should receive cybersecurity best practices training before being assigned a computer. On-demand training should be considered in order to significantly reduce costs and increase efficiency. Anyone with access to sensitive information such as credit card data or protected health information should be required to receive specialized training, several times throughout the year.

For more information on cybersecurity best practices, conducting a simulated spear phishing campaign, or customized on-demand cybersecurity training, contact Citrin Cooperman’s Technology and Risk Advisory (TRAC) team.