Spear Phishing Scams Targeting Corporate Executives

The FBI has seen an increase in sophisticated “spear phishing” scams targeting executives across industry sectors.  Spear phishing is when a criminal sends an e-mail that appears to be from a trusted source to a specific individual or company in an attempt to trick the recipient into taking certain actions or revealing sensitive information.  In cases involving executives, the e-mail often appears to be sent from the CEO and is directed at CFOs, controllers, or other executives with access to sensitive data or the authority to transfer company funds. 

In essence, the scheme is a modern day version of tried and true con man frauds.  The fake e-mail from the CEO typically asks the target to wire funds to pay an overdue invoice or to pay for an urgent business expense.  For example, in the fake e-mail the criminals build a convincing pretext by having the CEO claim to be busy with meetings and insist that the executive transfer the funds immediately.  The phony e-mails look very real because they address the target by name, send the message to his or her e-mail address, and accurately identify the company, wire details, amount, and the reason for the urgency.  The pretext adds an appearance of legitimacy to the message, increasing the chances of fooling a busy executive into opening the e-mail and responding as directed. 

Unlike mass phishing attempts aimed at “soft” targets, these newer, more sophisticated spear phishing tactics often escape detection by spam filters.  Cyber criminals employing these methods do their homework, usually researching companies and individuals through official websites and social media to:

  • Gather information such as names, titles, and job descriptions;
  • Investigate a probable chain of command that would raise little or no question about a request to transfer funds;
  • Research vendor partners with whom the target company likely transacts business; and
  • Register domain names similar to the target company, with one letter or number transposed.

Thompson & Knight suggests companies take the following measures to reduce the risk of falling victim to spear phishing attacks:

  • Improve Your Technology.  Use good anti-phishing technologies and strong security software, and keep your operating system patched.  You should also consider downloading the latest version of your browser with the latest security technologies.  
  • Raise Awareness.  As a matter of priority, make sure that executives, employees, and other users understand the dangers of spear phishing attacks, then focus on behaviors and practices that users should adopt to avoid falling victim to these swindles.  Continually train employees on how to spot the phishing messages by checking e-mails for formatting and visual clues, and reinforce policies that prohibit the disclosure of sensitive information without proper confirmation.
  • Checks and Balances.  Establish strong policies to manage pressing email requests for sensitive corporate information or for transferring funds, and require validation of banking information with trusted accounting contacts at suppliers, distributors, and other business partners before authorizing transfers of funds.
  • Social Media Protocols.  Develop and enforce strong policies regarding use of social media that prohibit employees from revealing classified or proprietary business information, including details describing sensitive corporate functions and information about the company’s network infrastructure.  These policies should clearly address an employee’s obligations when publishing online and should include principles that sensitize personnel and help them understand what they can say regarding the company and how best to say it. 

 

Topics:  C-Suite Executives, Data Protection, FBI, Phishing Scams, Scams

Published In: General Business Updates, Criminal Law Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thompson & Knight LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »