These days determined cyber attackers don’t fire broadsides at organizations they want to infiltrate — they take the time to find out who holds certain sensitive positions and targets them.
If the staff in your enterprise hasn’t got that message yet, there’s news story from the U.S. about a spear phishing attack that nearly tricked a firm’s comptroller CISOs could pass on to all employees so they understand.
The email seemed to come from the CEO about an upcoming acquisition, and asked the comptroller to work closely — in fact, “exclusively” — with a lawyer on the deal. The message was detailed, professional, right down to suggesting the company had already notified the U.S. Securities and Exchange Commission (SEC) on the deal.
There was no hyperlink or attachment for the comptroller to click on, which is usually the way malware is delivered. No, this attack was more crafty: The CEO authorized the comptroller to “proceed with any payments that (the lawyer) may request on my behalf. You need to keep this matter extremely confidential as you are the only one currently aware of the situation.”
Had the comptroller fallen for the scheme she likely would have forwarded a sizeable amount of money to who knows where.
Fortunately, the attacker made a mistake: CEO signed the email with his full name, which he doesn’t do. The comptroller was justifiably suspicious and checked.
This tale is just another reminder to all employees — not just those in sensitive finance, IT and legal positions — that email, Twitter, LinkedIn and all other forms of electronic messaging are attack vehicles, not methods of efficient communications . They need to be aware of what they are reading and clicking on. Slow down and be safe.