We are all aware of the term “Phishing” and the e-mails we get from members of the Nigeria Royal Family wanting to share their fortune with us. We also know the dangers of responding direct to e-mails from Banks and the ATO asking for our personal information. These ones are easy for us to detect and dismiss. Generally these e-mails are sent on mass to thousands of people with a hope of catching at least some, kind of like dragging a net through the water.
This attempt to extract funds and personal information by criminal organisations has now been refined and concentrated such that they now direct the attack on a single individual or organisation with a single shot. Just like a spear fisherman might do, hence the name Spear Phishing.
The criminals will use any public information they can obtain about your business which is generally available on the business website. After they have identified the key people in the organisation they will set to work at trawling all social media to gain familiarity about the people they wish to involve in the scam.
Once they have sufficient information they will send an e-mail which is generally sent from a person of authority (CEO, President etc.) to a subordinate with bank authority such as accounts payable. The message will be personalised and will generally be urgent in nature and will require an immediate funds transfer to an account which is nominated in the body of the e-mail. The message will also sometimes include a reference to something that the criminals have learned on Facebook, LinkedIn or other social media to add familiarity and legitimacy to the source of the communication.
Furthermore it is likely that the e-mail will occur late on a Friday which the perpetrator will hope amplifies the urgency and reduced the time for the individual to confirm instruction. With the transaction performed it is most often the case that the perceived instructor will not find out about what has occurred until Monday morning at which time the funds are gone with no hope for retrieval by the bank.
Given the nature of this approach the invasion to the organisation is not easily detected by Cyber Security software meaning that procedures around payments and staff awareness needs to be improved to avoid such events occurring.
We have had two incidences of this occurring in recent weeks so we know it is happening. To protect your organisation you should consider things such as:
- Secondary approval for all payments by the CEO or business owner
- Review information on your website to make sure not too much information is offered about the people in the organisation and the roles they perform
- Set internal protocols or procedures around how outgoing payments can be requested and approved
- Provide this article to all staff that may be vulnerable to this type of attack
- Talk to your bank about mechanisms that can be installed into the internet banking to make secondary approval required on all electronic payments
If you would like to discuss this topic or any other type of fraud protection further please call Leigh Harry on 5221 6111.