It looks like another record-setting year for data breaches. As of May 24th, the total number of breaches captured by the 2016 ITRC Breach Report is up to 420, which is 22% higher than the already record-setting number of breaches in 2015. Nearly one-third of those breaches are attributed to CEO spear phishing. This phishing scheme isn’t new, but has been a top choice for this year.
How Do CEO Spear Phishing Scams Work?
In this kind of spear phishing scam, an attacker impersonates the email address of a CEO or other C-Level executive. The attacker sends the email to one or more employees and includes a request for detailed personnel or financial records. The attack typically targets the HR or finance departments, where such a request would not be out of place. The target, unaware the email is a fraud, sends back the requested records. In some cases the attacker uses the email scam to request a wire transfer using language and amounts that seem legitimate.
As shared by Jack Lynch, CEO of Main Line Health, this scheme is so successful that it’s catching many employees off guard. In fact, one of his own employees fell for the scheme. After receiving a scam email, the employee promptly mailed off payroll information to the requester, believing they were sending the documents to the hospital’s CFO. Two days later, a second employee saw received a similar email, but noticed an error and deleted the message. While that is a positive sign, that employee also failed to alert anyone else that they were being targeted.
Everyone in an organization needs to be on alert for these phishing tactics.
Business Email Scams Are Getting Bolder
The FBI recently issued an alert on the dramatic increase in business e-mail scams. The alert included tips to beware of requests that seem urgent, involve money, or that have obvious errors. Similarly, the IRS issued its own alert to beware phishing schemes involving W-2s.
Whenever in doubt about a request, pick up the phone to verify its authenticity with the purported sender. If you even think the email is a fraud, don’t just delete it—report it. As we’ve mentioned previously, encourage employees to assume a role in data security, which includes reporting suspicious activity or security gaps.
Right now people account for a vast proportion of data breaches, and the current data from 2016 shows that even common phishing tactics are continuing that trend. Shoring up the Insider Threat, where people accidentally or maliciously put data at risk, means creating a culture that fosters security, bolstered with technology to gain visibility into where data resides, no matter where it resides. A security policy only goes so far. Employees create security gaps when they ignore those policies. Monitor and protect against malicious and negligent insiders, regardless of user, location or whether they’re on or off network with Absolute.