Back in the 1990s, phishing criminals masqueraded as Nigerian prices, lottery directors and attorneys for deceased tycoons, toting the email equivalent of a suitcase full of millions. All you needed to do was provide your bank account digits and “wealth” was on the way. It still happens today, the dead giveaways coming via salutations such as “Hello, my dear!” or the misspellings of simple words such as [sic] “chek.”
While you’d be hard pressed to find scores of innocent folk falling for that malarkey in 2018, phishing “phraudsters” have changed with the times. And for even the smartest of bank employees, the news is hardly good.
Cunning criminals now scout social media and company websites to gather relevant information—then disguise themselves as superiors, co-workers, vendors or clients. They can create emails that appear so real and believable, even security systems alone cannot detect them. Fake emails from the CEO may have tweaked addresses that evade the recipient’s casual glance: a middle initial inserted or deleted, or a domain address altered ever so slightly.
While technology can help detect and root out some of these emails, security experts say humans offer the last and best line of defense in the fight against phishing.
Social engineering, attack by design
Phishing—the practice of sending phony emails from “trusted” sources to gain sensitive information or system access—has progressed from haphazard to a hack hazard. Through a strategy called “social engineering,” hackers research social media, press releases and company websites to create compelling emails with all the right information.
A clever malefactor needs only a few minutes research to create a “very believable” email, says Stu Sjouwerman, founder and CEO of KnowBe4. “It’s the very same type of people doing this type of CEO fraud today. They have morphed and evolved into launching a much more sophisticated kind of attack that is relatively easy to pull off.”
So how does CEO fraud work, exactly? True to its name, someone poses as the company chief executive and gives orders to move money from bank to hacker. Belgian bank Crelan lost more than $75 million in 2016 when a hacker posed as the CEO and instructed a finance department worker to wire the funds overseas.
Seeing through a C-suite attack
It shouldn’t be surprising that the financial services industry represents a prime target for phishing attacks. Carbanak, a global hacking group, has stolen more than $1 billion from banks in more than 40 countries by spreading malware through phishing, according to the European Union Agency for Law Enforcement Cooperation.
Carbanak sent bank employees spear phishing emails (so named because they target specific individuals and companies) that mimicked letters from legitimate companies as a means to burrow into ATM servers. The only thing that’s managed to slow them down was the March arrest of the hacker gang’s leader. Meanwhile, another cabal known as Silence has ripped some pages from Carbanak’s play book, hitting roughly 10 banks as of November.
Hackers typically direct phishing emails against banks to the comptroller or other executives, the goal to manipulate them into making transfers at the urgent request of the CFO or CEO. One common tactic is to monitor an executive on social media—then wait until they’re on a business trip and send an email to a subordinate to ask for a favor.
“They’ll say it’s urgent,” Sjourwemann says. “‘We’re in the process of a takeover and it’s confidential. You’re going to be called by someone from the SEC… and in the meantime, I need you to do this.’”
Poorly designed phishing emails are often easy to spot; they may come from a different email address, a person the employee typically doesn’t communicate with, or sound completely out of character. But the insidious ones are much harder to detect: They include personal, credible information.
And if the hacker has compromised the executive’s email, the message can come from the actual account.
They’ll ask employees to visit a website, open a document, or as in the above example take some sort of action. Other missives pose as emails from Microsoft that ask the employee to update their password or other information.
Fishing for phishing
Banks aren’t exactly defenseless, though. Technologies that include SaaS (Software as a Service) combine phishing detection and remediation. Other counter-weapons include DMARC (Domain-based Message Authentication, Reporting and Conformance), a protocol for validating email addresses. DMARC is easy to implement and can catch most basic phishing messages—though it can’t identify emails when hackers compromise an internal email server and send messages from the company’s domain.
Training bank employees to spot such emails is essential, and there are several red flags to look out for:
senders the person ordinarily doesn’t communicate with
emails sent in the middle of the night
hyperlinks to different websites
The best way to sniff out a highly sophisticated phishing attack is to call the supposed sender directly and confirm the message.
Craig Guillot is a business writer who specializes in retail and finance. His work has appeared in such publications as the Wall Street Journal, CNBC.com, Bankrate.com and Better Investing.
In this month’s BAI Executive Report, we examine where things stand with fraud protection and how it can be done more efficiently and effectively, including looking at the role of both humans and technology in fraud prevention strategies. Download Now...
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.