CEO Spear Phishing Is Catching Too Many Employees Off Guard
CEO Spear Phishing Is Catching Too Many Employees Off Guard

It looks like another record-setting year for data breaches. As of May 24th, the total number of breaches captured by the 2016 ITRC Breach Report is up to 420, which is 22% higher than the already record-setting number of breaches in 2015. Nearly one-third of those breaches are attributed to CEO spear phishing. This phishing scheme isn’t new, but has been a top choice for this year.

How Do CEO Spear Phishing Scams Work?

In this kind of spear phishing scam, an attacker impersonates the email address of a CEO or other C-Level executive. The attacker sends the email to one or more employees and includes a request for detailed personnel or financial records. The attack typically targets the HR or finance departments, where such a request would not be out of place. The target, unaware the email is a fraud, sends back the requested records. In some cases the attacker uses the email scam to request a wire transfer using language and amounts that seem legitimate.

As shared by Jack Lynch, CEO of Main Line Health, this scheme is so successful that it’s catching many employees off guard. In fact, one of his own employees fell for the scheme. After receiving a scam email, the employee promptly mailed off payroll information to the requester, believing they were sending the documents to the hospital’s CFO. Two days later, a second employee saw received a similar email, but noticed an error and deleted the message. While that is a positive sign, that employee also failed to alert anyone else that they were being targeted.

Everyone in an organization needs to be on alert for these phishing tactics.

Business Email Scams Are Getting Bolder

The FBI recently issued an alert on the dramatic increase in business e-mail scams. The alert included tips to beware of requests that seem urgent, involve money, or that have obvious errors. Similarly, the IRS issued its own alert to beware phishing schemes involving W-2s.

Whenever in doubt about a request, pick up the phone to verify its authenticity with the purported sender. If you even think the email is a fraud, don’t just delete it—report it. As we’ve mentioned previously, encourage employees to assume a role in data security, which includes reporting suspicious activity or security gaps.

Right now people account for a vast proportion of data breaches, and the current data from 2016 shows that even common phishing tactics are continuing that trend. Shoring up the Insider Threat, where people accidentally or maliciously put data at risk, means creating a culture that fosters security, bolstered with technology to gain visibility into where data resides, no matter where it resides. A security policy only goes so far. Employees create security gaps when they ignore those policies. Monitor and protect against malicious and negligent insiders, regardless of user, location or whether they’re on or off network with Absolute.

ABOUT THE AUTHOR

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.