Their network was secure.
Their data was encrypted.
Their firewall was fully functioning.
But that didn’t stop a sophisticated spear phishing scheme from tricking our client into forfeiting a five-figure sum.
Each week my team encounters another example of spear phishing. Each month, hackers are busy at work—trying to compromise companies and steal their funds.
This month, our client was one of their victims.
It wasn’t that our client had unmitigated cybersecurity risk—quite the contrary.
What makes spear phishing attacks so dangerous is that hackers bypass all of your network security and compromise your employees. And, to mitigate your risk, you must educate your team.
In this article, I’m sharing some details on this spear phishing example with our client’s permission.
I’d encourage you to have your employees read what happened—and schedule a team discussion on how to better protect your business.
How Does Spear Phishing Work?
Before we dive into our client’s spear phishing example, it’s important to understand the mechanics of a spear phishing attack.
You can generally break the process down into three steps.
1. Bots collect information.
Spear phishing doesn’t begin with a hacker personally breaking into an employee’s email account. The beginning stages of spear phishing are actually automated.
Hackers employ bots to harvest publicly available information.
For instance, a bot might collect data from your company website…or even your LinkedIn account.
2. Bots impersonate real people (spoofing).
In this second step, hackers still rely upon bots. This time, the purpose is sending deceptive emails. These emails might impersonate someone an employee knows, such as the CEO.
The “CEO” might ask the employee to disclose some kind of sensitive information…perhaps under a legitimate guise.
In one spear phishing example we saw, a hacker pretended to be the CEO of a company. It was Christmastime, so this “CEO” asked an employee to buy Amazon gift cards and send over the codes for the purchased cards.
To make these kinds of emails appear true-to-life, hackers alter the “from” field. (It’s the section of an email that supposedly indicates who wrote the message.) However, if you look in the backend, you’ll find the actual address.
If your employee can’t see this, it’s easy for a hacker to trick him into disclosing sensitive information…which then leads to the final step of the attack.
3. A hacker leverages the information to extort money.
Once your employee discloses sensitive information or responds to a spear phishing email, an actual hacker may become involved. The hacker will attempt to use the sensitive information he stole to manipulate your employee into transferring money.
You might think your company is immune to compromised data security.
But realize that hackers are getting much more targeted. As you’ll see in our client’s spear phishing example, an attack can be quite elaborate.
A Sophisticated Spear Phishing Example: Our Client’s Story
Our client and their vendor were communicating via email.
At the center of the discussion was a payment (to the vendor) that was worth tens of thousands of dollars.
But here’s something neither of them knew.
The vendor had suffered a data security breach. Somehow, a hacker had gained access to an email account…perhaps by impersonating a reputable organization or person.
And even though our client had ironclad network security, the vendor’s breach gave the hacker access to our client’s sensitive information.
The hacker (or hackers) had the leisure to read the email exchange.
They saw the discussion that was taking place.
And a spear phishing attack was launched.
The hacker messaged our client through email and impersonated our client’s vendor. They began to demand payment from our client…daily.
Our client did notice that their “vendor” made some writing mistakes.
What our client didn’t notice was this: the domain used as the email address was slightly incorrect.
The hacker had purchased a domain that was nearly identical to the vendor’s domain and had created an email address. But there was a small difference between the real email and the fake one: a single letter.
The sophistication of this attack is stunning.
The hacker chose a relevant discussion to target. They created a nearly identical email address. They pushed some key psychological buttons.
At last, our client gave in and sent the hefty payment.
Shortly afterward, the real vendor inquired about the sum under discussion. In response, our client replied that they had already paid the amount—and our client forwarded their vendor an email as proof.
It didn’t take long for our client to realize they had been scammed.
Once Proactive IT was notified, we changed all our client’s passwords and helped law-enforcement investigators in the aftermath. But here’s the reality…
I don’t think our client will get their money back. Once a hacker transfers your funds to their account, all they need to do is wire the money abroad. And it’s unrecoverable.
Lessons to Learn from This Spear Phishing Example
From lost revenue to wasted time, you can imagine the damage our client has suffered from this spear phishing attack.
And there’s no good reason why your company should succumb to a scam that’s easily avoidable.
As you learn about this spear phishing example, I’d encourage you to make it a teaching moment for your company and its employees.
Here are 7 lessons from this spear phishing attack you can discuss with your team:
1. Have a smart process around the movement of money.
Your company needs a dedicated policy and procedure for making financial decisions.
A key part of your policy should be this: Never take financial action based on an email only.
Your employees need to realize that email is inherently unsecure. There’s simply no such thing as a “trustworthy” email.
Any wire transfer your company completes should be based on human confirmation, not an email thread. That means picking up the phone and calling the person who is requesting the payment.
You need to realize that hackers prey on employees’ busyness.
They exploit people who need to get stuff done.
If you’re a decision-maker, it’s your responsibility to create a standard operating procedure for sending money.
Don’t allow expediency to enable a hacker to steal your hard-earned revenue. While phone calls may seem like a waste of time, the biggest waste is sending $100,000 to a scammer overseas.
2. Put your team to the test.
In my blog on the PCI DSS, I mentioned how some of our clients undergo scams to check their PCI compliance. In the same way, you might consider putting your employees’ to the test when it comes to spear phishing. (At Proactive IT, this is actually something we offer. Feel free to contact one of our team members for more information on this service.)
3. Use two-factor authentication.
I mentioned this in another blog, but it bears repeating.
You need two-factor authentication (2FA).
I don’t care if you’re a small business, a medium-sized firm, or a 1,000-employee corporation. When you use 2FA, you make it tough for hackers to break into an employee’s email account.
Sure, it’s going to create more hassle for your employees. But it will also ensure that should a hacker obtain an employee’s username and password, this doesn’t mean he or she will have access to your employee’s account.
4. Have employees hover over any emailed link before clicking.
Spear phishing attacks employ an email with a deceptive link.
It doesn’t matter if your employee received an email with Microsoft branding and logos that said, “Click here to visit your Microsoft Outlook account.” That doesn’t mean Microsoft sent the URL.
Our recommendation is to hover over a link before clicking through.
Any hacker can alter the hypertext.
What matters is the actual URL.
And if the URL doesn’t look reputable or contains errors, your employees should never click it.
Keep in mind that this doesn’t completely guarantee security. In our client’s case, the hacker(s) had a strikingly similar domain to our client’s vendor. And it’s possible a scammer might do this with a URL as well.
5. Tell employees to visit a site directly.
Not sure if an email is coming from a hacker or a legitimate sender?
Don’t click the link.
Instead, have your employees visit the site in question…directly.
In the online account, employees can check if the organization is handing out the same instructions contained in the email. (For instance, your banking app might have a dedicated space for messages.)
If an employee is still in doubt, have him pick up the phone and call the organization.
6. Instruct employees to pay attention to the actual email.
Have your employees examine the details of any email requesting sensitive information.
In addition to carefully scrutinizing the email address, they should also pay attention to the grammar of the email.
If you have employees who didn’t make As in high school English class, introduce them to a tool, such as Grammarly, to spot language errors.
7. Consider implementing DMARC in your organization.
Another defense against spear phishing that’s recommended is DMARC. If you’re wondering what this is, DMARC.org explains that this acronym means “Domain-based Message Authentication, Reporting & Conformance.”
Here’s how DMARC.org describes what this safeguard can do for email messages:
“Receivers supply senders with information about their mail authentication infrastructure while senders tell receivers what to do when a message is received that does not authenticate.”
But please realize that DMARC won’t solve all your problems. Here, you’ll find that DMARC.org says hackers can still alter the “from” field as we talked about.
However, some protection is better than none—so you might consider implementing this in your organization.
How to Prevent Spear Phishing for Your Company
Spear phishing isn’t going away anytime soon.
There’s simply no way any IT expert can secure something that’s inherently unsecure—namely email.
I’m not even immune from the threat. If you haven’t already, read this blog post on how I was nearly spear phished.
Frankly, your organization is only one clever email away from a spear phishing attack.
That’s why it’s important to educate your employees and establish a policy that protects your business from threats.
At Proactive IT, we understand the vulnerability that your employees face. And it’s one reason we offer employee training on cybersecurity. If you’re located in Charlotte, we’d be happy to discuss how we can assist in employee education. To get in touch, call us at 704-464-3075, or contact us here.