Beware that CEO email - it could be a scam

Email phishing scams are continuing to strike a huge number of businesses, in spite of much more improved cyber-security policies, new research has revealed.

The latest Email Security Risk Assessment from Mimecast discovered that ambitious hackers are also increasingly targeting C-level executives and impersonating those in senior leadership positions in order to trick employees into transferring money or valuable IP data.

The report found that there had been a 400 per cent rise in so-called impersonation attacks in just the last three months of the year.

Also known as “whaling”, the attacks target employees within an organisation by pretending to be a senior executive urgently requesting confidential information or the transferring of money.

"Email as an attack vector has grown in popularity - it's now the way in for an attacker,” Steven Malone, director of security product management at Mimecast, told ITProPortal at the recent Infosecurity Europe event in London.

“When you think about it, everyone has email...every organisation uses email as the means to communicate - which means that everyone relies on email, and everybody trusts email."

This complacence, and belief that email is safe by default, then also stretches to other parts of employee IT usage, Malone notes, further putting organisations at risk.

“If you think of the make-up of any typical organisation, you have the guys in IT, who know all about this stuff,” he notes. “But most other people in the organisation aren't thinking about security - they're assuming that the IT department has lots of shiny boxes in place that will protect them."

However such impersonation attacks often circumvent traditional notions about security, Malone says, appealing to people’s human nature and need to please - especially when apparently directed to by a higher-up.

"They're really sneaky...insidious - they don't contain links, attachments or viruses, they're not spammy - but essentially they use social engineering to persuade the recipient to do something - and if you can make this email look pretty convincing, and you can mail that to somebody within the organisation...human nature says that they want to help and will take the action.”

"The fact that these attacks are still increasing shows that they work, but it also shows that the technology just isn't there to protect end users," Malone added. 

"These attacks are not always attacking big businesses...but we see smaller organisations being targeted with this stuff as  well - and if an attacker can go after 10 or 15 small organisations, and transfer a few thousand pounds from each, it's almost easy pickings."

So what can be done in order to protect your business from these sneaky attacks? Malone states that this is not a one-person, or even one-department job - but instead should be the responsibility of all employees.

"It's tricky,” he notes, “ as it's very easy to approportion blame...it's very easy to say that it's definitely these people's responsibility to solve this problem...but ultimately it is everyone's responsibility." 

"There's often a misconception that everyone needs to be a security expert - but that's not the case. Security is not everyone's day job, but ultimately, often all users need to have a mentality of caution - they have to be mindful of what they're doing, and be aware that their actions on corporate equipment, and can be far-reaching."