google-site-verification: google528134ce32dad330.html

Spear-phishing Scams: How They Work and How Not to Get Speared

spearphishing, scam, fraud

Cybersecurity attacks like spear-phishing scams are all too real. I have personally seen three near misses in the last year and want to share them with you, and encourage vigilance and proper protections. Businesses and leaders that do not act with a proper sense of vulnerability put themselves at great risk.

Everything Seemed to Be in Order

A COO friend recently received an email from the CEO directing the COO to send a wire for $50,000 to a new vendor immediately. The CEO happened to be away at a conference that day. Attached to the email was a PDF of the invoice, similar to vendors and services the client typically uses. The email was generated internally, and the writing style and punctuation was exactly like the CEO’s. The COO and the company’s Accounting Manager could not get a wire out over $25,000 without the CEO releasing it with the bank. So, what did they do?  Wanting to comply with the CEO’s request, they sent out two $25,000 wires.

When the CEO came into the office the next day, the COO and Accounting Manager were delighted to report that they completed the wire transactions, to which the CEO replied, “what wire?” As you’ve likely guessed, the company’s email server was hacked.  Not only did the thieves have visibility to the CEO’s writing style and examples of other vendor invoices routed via email, they could also see the CEO’s schedule and knew she’d be out of the office. Fortunately, the company notified the receiving bank just in time to stop the cash from leaving the recipient’s account.

Common Requests with Uncommon Consequences

In another instance, a client experienced a similar email where the CEO directed the Accounting Manager to send a check for $10,000 right away via FedEx. This was not out of the ordinary as the company mostly pays its bills with checks.  The Accounting Manager cut the check and the CEO actually signed it, relying on the Accounting Manager.  A Vice President saw the FedEx envelope, and felt something about it seemed fishy.  The theft was averted allowing us to have a laugh that one person can make a mistake, but a real screw-up takes teamwork.

It Can Happen to Anyone, Me Included

Yours truly received an email from Ellen Wood, vcfo’s CEO, asking me to buy $1,400 in eBay gift cards and send them to a client as a gift. The email came in late in the day and with me being based in Denver, no one was around in our Austin headquarters that afternoon to do it.  Sure, no big deal I thought.  I am embarrassed to admit it, but they had me on the hook for about five minutes.

I replied to the email and asked where to send the gift cards. The response asked me to scrape off the security covering and send a photo of the revealed codes to a phone number that we later found to be a Google Voice number. This put my skepticism on full alert. A second and closer look at the email saw that it was labeled with our CEO’s name but that the email address was not from our organization.  I called Ellen and asked whether she sent me the email. She had not.  Now I had some fun with it.  I emailed back, was $1,400 enough?  Their response? “That’s what the client asked for.  $1,400 will be fine.”  I did send the thieves a photo, but not the one they were hoping for.

What We Can Learn from Spearfishing Attacks

It’s worth saying again – cybersecurity threats are real and none of us should ever assume that we’re immune to attack and invulnerable to falling prey to cyber thieves. All the real-life example stories shared in this post have three things in common:

  • An urgent directive from a person in power that is not (wholly) out of character
  • Use of email as the channel for delivering the directive
  • A request to send out something of value (e.g. money, information, items) immediately

Lastly, all three of the near misses described here had more to do with people than technology. Thieves and threats have increased in sophistication and try to take advantage of good people’s good intentions.  What is the moral of the story? For one, Never Send Out Something of Value Based on Email Alone, especially an immediate directive from a person in power.  Always confirm an email directive via other means, text or better yet, phone.  For you strong-willed CEOs out there, make sure your people understand this, lest ye become a victim of your power turned against you!

About the Author

Based in Denver, Carter Freeman is the Vice President for vcfo’s Western Region. An accomplished professional with over 25 years of senior-level finance and accounting experience, Carter has demonstrated an ability to embrace new situations, establish trust and develop a workable game plan. To produce results, Carter navigates his clients through their challenges by assessing a set of circumstances and “cutting to the chase.”