For an attacker, spear phishing is an efficient way of getting work done. Business Email Compromise (BEC) schemes (sometimes also called business executive compromise), which specifically target executives or mid-level finance officials, can be particularly useful: Get an official to click on a link, infect the target and there’s high-level access to an organization. Or, get the official to wire money to a link and rake in the cash.
To counter this, security awareness defensive techniques include training employees to watch out for suspicious links in email, text or social media messages.
But as a recent analysis of 3,000 email attacks on Barracuda Networks customers shows, not all initial messages from an attacker will have a link. Perhaps realizing that organizations are watching for suspicious communications attackers increasingly first try to establish rapport with a victim. So in the sample looked at, only 40 per cent of messages had a link. Twelve per cent tried first to establish rapport, with messages like “Are you online now?” or “Are you available for something urgent?”. Then, often, the follow-up message has a malicious link to an infected document, a web site or a bank account controlled by the attacker.
In the sample the company looked at, just under half (46.9) per cent of attacks wanted targets to make a wire transfer to a phony person/account, 40.1 per cent wanted the target to click on a link, and 12.2 per cent wanted the victim to forward personally identifiable information (including that of other employees, such as lists of staffers and their social insurance numbers purportedly for tax purposes).
One point from this analysis is that with less than half of messages having a suspicious link it’s harder for technology (anti-virus, gateways etc.) to intercept many of these attacks. The analysis of the sample also notes that while senior officials are often targets of BEC attacks, just over half also went to others in the organization who might be influenced by a message seemingly coming from the C-suite.
Barraduca recommends that wire transfers should never go out without a confirming in-person conversation or phone call with a responsible company official. Use additional care with phone calls if the only contact information is included in the potentially fraudulent email, the warning adds.
The sample also shows that in almost 43 per cent of the time messages pretended to come from a company’s CEO. So employees should be warned to take extra care acting on email from that account. “If the CEO is making a request or if it is unusual to receive email from the CEO, the user should confirm the legitimacy before taking action.”
These and other techniques should be part of a regular security awareness training program.
The Barracuda analysis is in a blog that can be read here.