The Internet Crime Complaint Center (IC3) of the FBI is reporting that email-based social engineering attacks were the most commonly reported cybercrime category in the US in 2017. Business e-mail compromise (fake CEO attack) and fake investment scams targeting companies and not for profit organisations resulted in an estimated loss of over $676 million dollars.
What is email phishing?
Phishing describes a type of social engineering where attackers trick individuals into disclosing confidential information or paying money into a fraudulent scheme. While phishing is conducted via a text message, social media message or phone, most people use the term to describe attacks that arrive by email.
Targeted and personalised email
Email is the ideal delivery method for phishin,g as it can reach users directly and hide amongst the huge number of benign emails that we all receive daily. Almost all spoof emails contain ‘click here’ links to convincing fraudulent web sites designed to make it easy to disclose the information required by the cyber criminal. Spear email phishing is tailored to one victim or group of individuals using specific and personal details. These details include the email address and often refer to the names of co-workers and managers.
Fake CEO attack
Whaling is a specialised type of spear phishing that targets high net worth individuals or decision makers working at MD, CEO and CFO levels in an organisation. Commonly known as fake CEO attack, this methodology involves the perpetrator (prior to the attack) acquiring detailed information of other members of staff, suppliers, customers and trusted partners that may include accountants, lawyers and professional advisors. Spoof messages are often sent from these partners to managers with financial authority, asking for the payment of an outstanding invoice or order for new services.
Fake CEO attack is a major cyber threat for professional services firms in the UK. Wizard Cyber is a specialist cyber security partner to UK private equity firms and many of the General Partners in our customer base have reported a significant increase in this type of email in the last 12 months.
Protect your organisation from fake CEO attack
The National Cyber Security Centre has recently updated its guidance to UK organisations on how to protect an organisation from email phishing attacks. Its previous advice was based largely on the recommendation of training designed to raise the awareness of all members of staff. They now advocate a multi-layered approach that includes a combination of technological, process, and people-based defence measures.
The NCSC Phishing attacks: defending your organisation guidance is summarised as:
Layer 1: Make it difficult for attackers to reach your users
- Implement anti-spoofing controls (DMARC, SPF and DKIM)
- Reduce the amount of publicly available (web, social) information on individuals
- Filter or block incoming emails
Layer 2: Help users identify and report suspected phishing emails
- Staff awareness training (general and specific role)
- Help users recognise processes that could be mimicked and exploited
- Create an environment with clear reporting and no-blame culture
Layer 3: Protect your organisation from the effects of undetected phishing emails
- Make authentication more resistant to phishing (use 2FA and restrict access to ‘need only’)
- Protect from malicious websites by using a proxy server and up-to-date browser software
- Protect devices from malware
Layer 4: Respond quickly to incidents
- Define and rehearse an incident response plan for different attacks (legal, finance, etc.)
- Encourage users to report suspicious activity quickly