Don’t trust that email from your CEO: Protecting your company from spear phishing attacks

It’s the end of a long work week, and you’re going through emails before braving the commute home. There’s an urgent message from your CEO to approve a wire transfer. As the CFO, you receive these requests regularly. You rush to resolve it, opening the message and reading through it. There’s a link in the message to follow and enter some personal information.

If you clicked on the link, if you followed through with the request, you may be the latest victim of spear phishing. Have you heard of it?

When cyber criminals send official-looking emails trying to coerce personal information out of you, that’s phishing. When it’s targeted at a specific group or individual, that’s spear phishing.

Most users are savvy enough to know not to click on links in emails from people they don’t know. Phishing is less of a threat this way. But when the email looks like it came from the CEO of one's company, that person is much more likely to think they can trust it. In this way spear phishing attempts to bypass all of the conditioned barriers we’ve set up to block out internet noise.

To best defend yourself and your business from these attacks, you should understand how they happen.

Spear phishing is not new. It’s simply Social Engineering via today’s technology. Older examples would be somebody trying to get you to wire money. Today, they want you to click on the malicious link.

Spear phishing gets around hardware and software security by targeting weaknesses in human behavior. It doesn’t matter how strong your firewalls are, if you have implemented Intrusion Detection Systems or whether or not your anti-virus software is up to date. These safety measures can’t stop the actions of a user deliberately clicking a link. When a spear phishing attack appears to come from the boss’s email, it targets people’s propensity to trust, obey, help or simply be curious. Software can’t stop that.

Criminals have some inside information on their targets in order to target them with what looks like a legitimate email. This information can be obtained maliciously via hacking an organization’s computer network, or it could be done by searching through websites, blogs and social media sites. This gives the criminal pretext to create an email that looks like it can be trusted.

The emails sound urgent in addition to seeming legitimate. Attackers are hoping that targets will make a quick decision to click on the link instead of stopping to think about why they're being asked for personal information.

When users click on the link, the website may be phony, but it looks legit. Because the site looks like the real thing, users are tricked into trusting it and providing their personal information.

They can use the information to steal your identity, get your credit card or bank information or download malicious software. For businesses, malicious software can provide the criminals with access to sensitive, internal information or trade secrets.

What can you do to avoid becoming a victim?

1. Educate your employees. Banks, companies and agencies will not request personal information via email.

2. Install phishing filters on web browsers. Many of the latest browsers have them built in or available as a plug-in.

3. Educate employees not to follow a link from an email but instead to enter the URL manually.

4. Check the recipient’s email. The sender’s name may look correct, but is the email address the actual address used by your coworker, John?

5. Use email spam filters.

6. Learn new behavior. Pause before clicking a link; hover over hyperlinks to see where they actually direct your browser; recognize suspicious text and grammar; take the appropriate actions when a suspicious email is received. What’s your company’s cyber-security policy?

Next time an email shows up in your inbox, be wary. Anyone can be a victim of these new, sophisticated attacks. Be especially wary if you’re in finances. Because of the wealth of information available online, hackers are choosing to target those who work in accounting or finance more frequently.

By following the above tips, you can decrease your likelihood of falling victim. And sometimes the best defense is to trust your instinct: If something doesn’t feel right, then it’s likely to be fraudulent!