"The fool doth think he is wise." So read the subject line of an email sent to Barclays CEO Jes Staley. An email purported to be sent from Barclay's Chairman John McFarlane that fooled Staley into not only opening the message, but responding to it. As we now know, the email was not really from McFarlane, but a hacker, eager to expose Staley to public ridicule.
Staley has not been the only financial CEO exposed to cyber crime in recent months. In the past year, we've seen the chief executives of Goldman Sachs, Citigroup and the Bank of England similarly targeted. Beyond embarrassing CEOs, these hackers have a seeming intent to obtain sensitive, often financial-related information about key individuals and their companies. In addition to engaging C-level executives, they are impersonating them – sending emails to employees demanding confidential information. Employees, eager to respond to their "boss'" requests, fall victim to these scams, unintentionally leaking classified data to malicious hackers.
With cyber crime more rampant than ever before – the FBI reported $5.3B exposed dollar losses to CEO fraud emails from 2013-2016 – it's essential that businesses make cyber security a priority. Every day, hackers are becoming more and more sophisticated in their approaches, creating fraudulent domains that appear as company domains and smartly targeting employees who hold coveted information and power, such as those capable of initiating a wire transfer. To keep up with their advanced tactics, organizations must get proactive and develop comprehensive strategies to fend off vicious attackers.
According to Gartner, organizations are doing just that. Recent research proved that enterprises are transforming their security spending strategy in 2017, moving away from prevention-only approaches to focus more on detection and response. Knowing email is the primary means by which scams enter organizations’ networks – most breaches in the last two years can be traced back to poor email security practices – educating employees on how to spot fake emails is a good place for companies to start.
How to spot a fake email
Employers should start by explaining to employees that if the tone of the email is uncharacteristic or the nature of the demand seems fishy – like a request to wire money to an offshore account – they should question it. The U.S. Department of Justice revealed in 2017 it had charged a Lithuanian man with running an email scheme that duped employees of two U.S.-based internet companies into wiring more than $100 million to overseas bank accounts. While it can feel unnatural to challenge a boss’s request, enduring a moment of awkwardness is much more bearable than costing the company thousands – if not millions – of dollars.
Employers should also advise employees to pay special attention to subject lines and senders. Business email compromise (BEC) attacks have created a big splash in recent years, but research analyzing the flow of attacks reveals their components are surprisingly trivial. Subject lines are typically vague and even outright odd. Some of the most common subject lines used in BEC schemes begin with “Transfer,” “Request,” a combination of the two, or “Urgent.” Anything along those lines should be a red flag.
While a sender may appear to be a friend or colleague, a strange email address or one that comes from an unfamiliar private account should be cause for alarm. With emails flying back and forth at the speed of light, it’s easy to overlook something as small as a misspelled last name, but we can all learn a lesson from the Barclays CEO and take a quick, closer look at the sender to ensure it’s really who it appears to be.
Actions companies can take
To develop and execute better security measures, organizations may want to consider creating a corporate security check list. Security should no longer be a concern that only belongs to a company’s IT department; it should be considered a priority by everyone within the organization, especially executives who are most vulnerable to suffering – and being impersonated – in attacks. Executives should implement some, if not all of the following steps to best protect the company:
Meet with IT management: Have an honest conversation with those closest to the threats to understand and identify areas of concern, and take action to rectify vulnerabilities. If the C-suite is taking security seriously, so too will the rest of the organization.
Conduct an inventory of critical assets: Data flows through various channels, so it’s important to ask where data is being archived and who has access to it. If it’s in the wrong hands, organizations can create a universal access policy that restricts access to those who don’t need it.
Review the company’s operating systems and software applications: Many attacks, like the recent global GoldenEye attack, can be avoided by software updates that most employees ignore. Automatic patching is a silent method of updating software that won’t disrupt employees work.
Invest in the right tools: Leverage communications compliance systems to identify and mitigate risky behavior. Archiving data and communications puts sensitive information out of the reach out those with malicious intent, but keeps it easily accessible to the company.
With security threats becoming increasingly sophisticated and millions of dollars at stake with just one breach, C-level executives need to ensure they – and their organizations – are taking security measures seriously. Proactive steps will not only help identify security vulnerabilities, they will also cut down on the detection of cyber attacks – the average is 170 days – as well as the amount of time it takes to resolve an attack. Not only can these steps decrease the negative impact on the organization, they can also spare CEOs the embarrassment of having their name splashed across headlines as the next executive to fall victim to a malicious scam.
Greg Arnette, Co-founder and CTO, Sonian
Image Credit: Evannovostro / Shutterstock