Fraudulent — or phishing — emails sent by criminals have become more sophisticated, as the recent spate of attempts to defraud companies with well-crafted, believable messages apparently sent by travelling or absent chief executives has shown.
Etienne Greeff, head of UK-based cyber security firm SecureData Europe, says chief executive scams — known as “whale phishing” — became a problem in 2015. They were unsophisticated to start with, but as the year progressed they drastically improved. The FBI reported a 270 per cent rise in global losses from such frauds between January and August last year and says there were more than 12,000 victims. The average loss was around $120,000, while some companies lost up to $90m.
“Something from the chief saying it needs your immediate response is going to be a priority,” says David Emm, senior security researcher at Kaspersky Lab, an online security company.
The fact that we share so much information online helps cyber criminals to operate. Not only are staff email addresses available on websites, their movements and business plans can be gleaned from blogs, news stories and social media. This helps fraudsters to create believable email scenarios in which a senior executive asks for large sums to be sent to them.
Here are some suggestions on to avoid becoming a victim of fraud
• Ensure you have email filters in place
Having a system that filters incoming emails and automatically blocks obvious spam and phishing messages is essential, says Mike Hracs, a security intelligence consultant at Deloitte Canada. “There are two different types of system: on-premises and cloud-based. Cloud-based email filtration systems are easiest to implement and are very effective.”
Filtration will stop a lot of the basic phishing and some cloud-based systems can even track messages and rewrite harmful links in them. This can prevent staff unintentionally downloading malware that will give criminals access to your systems.
• Put better internal processes in place
“In a lot of companies there is no clear demarcation between legitimate practice and what phishers are [doing],” says Kaspersky’s Mr Emm.
“Companies make use of emails from executives with attachments and expect people to click on them. If we expect people to respond to genuine emails in that way, then why would we be surprised when they respond this way to spoof emails?”
Ian Trump, security lead at Logicnow, a software provider, says fraudulent emails are unlikely to be successful if senior executives discuss their future plans regularly. He also points out the need for better internal systems. Having several people sign off on sums that have to be sent abroad makes it harder for crooks to succeed.
• Awareness training
“You need to develop presentations that can demonstrate basic phishing constructs and how to identify them,” says Deloitte’s Mr Hracs.
The more educated staff are, the more prepared they will be. But the ever-changing nature of these attacks means training will not be a one-off. Company IT teams should regularly run internal phishing campaigns to really help raise awareness. They should train employees so that if something in an email seems out of the ordinary, they should ask if such behaviour is in keeping for the executive concerned and be wary of clicking on any suspect links.
• Check the email header
While it may initially appear as though an email has come from your chief executive, viewing the email source information shows more detail that may enable you to spot a fraudulent email. Staff should look at email headers on suspect messages, which typically include the name and email domain used by the sender.
Checking them is a straightforward process in most email packages and IT teams can provide staff with guidance on what to look out for. For example, in Google mail, click on the drop down arrow in the top right of an email and select “show original’.
Finally, if in doubt, call the chief and ask if she or he needs the money. They are not going to mind if you stop the company from losing a fortune.