We recommend you copy and paste this section, and send it to your
executive team, with a warning that they might be targeted with
spear-phishing attacks. They need to 'Stop, Look, Think' when they
get emails like this. Or, instead of cut and paste, you can send your
execs this Permalink:
http://blog.knowbe4.com/the-top-5-executive-spear-phishing-scams/
5) "Complaint from the Better Business Bureau". A few execs get this
official-looking complaint that a customer supposedly has filed, or
more recently one that states: 'Your company is accused of supporting
illegal business'. They claim your business is involved in identity theft.
Reply within 7 days, and click on this link with the complaint ID. If
the exec clicks, the PC will be infected with malware.
4) "New Security App For Your Smartphone". Bad guys go to your website
and figure out who your CFO and CEO are. They spoof an email from the
CEO to the CFO and get the CFO to click on something. The CFO's PC is now
infected with a keylogger. This way they know who you are banking with,
and that the bank uses two-factor authentication using the CFO's mobile
phone. Next, they spoof an email 'from the bank' to the CFO that instructs
the CFO to download and install a new security app on their phone, but
this is actually malware under control of the bad guys. Now they have
access to the normal banking logon credentials, but they also control
the two-factor text message sent to the CFO, which opens the door to
all kinds of (expensive) trouble.
3) "Unfortunately, you are part of a layoff". Cybercrime takes
advantage of the current economic conditions and spoofs an email
that supposedly comes from either the CEO or from Human Resources. It
states the employee has been laid off, and please click on this link
so you can claim your severance pay. The link leads to a page that
looks just like the company website and asks for the first name, last
name and SSN# to verify who they are and make sure that they are in
the queue for severance. Double whammy: the PC is infected and the
employee's identity has been compromised.
2) "Free Dinner At Your Favorite Restaurant". The CEO of a company is
singled out for a spear-phishing attack. The attackers do their research
using social media and find that the CEO is active in an anti-cancer
charity as one of the CEO's family members is a survivor. They also
figure out that the CEO has a favorite restaurant about 20 miles away.
They spoof an email from the charity's chief fund-raiser with an
attached PDF that promises a free dinner and please open the PDF with
the new fund raising campaign they need feedback on. One click, the
PC is infected and the network compromised. (Hat Tip to Chris Hadnagy.)
1) "We've been sued". Bad guys go to your company website, look at the
'Executive Team' page and find out who is your In-House Legal Counsel.
Then they do a deep search on the Internet for all email addresses of
your company and find out the address conventions (e.g. first letter
first name, followed by last name). Then they spoof the email address of
your counsel, and attach an infected PDF that pretends to be about new
or pending litigation and send it to two or three execs. They open it and
bingo, your network is compromised.
Attacks like this happen all the time. There are still many organizations
that do not have Sender Policy Framework (SPF) enabled. Having SPF
configured correctly blocks most spoofing attacks in the examples
above. And of course Security Awareness Training for all staff,
especially the execs is a -must-, as they are prime targets. Here is
a link to more data on SPF:
http://en.wikipedia.org/wiki/Sender_policy_framework
executive team, with a warning that they might be targeted with
spear-phishing attacks. They need to 'Stop, Look, Think' when they
get emails like this. Or, instead of cut and paste, you can send your
execs this Permalink:
http://blog.knowbe4.com/the-top-5-executive-spear-phishing-scams/
5) "Complaint from the Better Business Bureau". A few execs get this
official-looking complaint that a customer supposedly has filed, or
more recently one that states: 'Your company is accused of supporting
illegal business'. They claim your business is involved in identity theft.
Reply within 7 days, and click on this link with the complaint ID. If
the exec clicks, the PC will be infected with malware.
4) "New Security App For Your Smartphone". Bad guys go to your website
and figure out who your CFO and CEO are. They spoof an email from the
CEO to the CFO and get the CFO to click on something. The CFO's PC is now
infected with a keylogger. This way they know who you are banking with,
and that the bank uses two-factor authentication using the CFO's mobile
phone. Next, they spoof an email 'from the bank' to the CFO that instructs
the CFO to download and install a new security app on their phone, but
this is actually malware under control of the bad guys. Now they have
access to the normal banking logon credentials, but they also control
the two-factor text message sent to the CFO, which opens the door to
all kinds of (expensive) trouble.
3) "Unfortunately, you are part of a layoff". Cybercrime takes
advantage of the current economic conditions and spoofs an email
that supposedly comes from either the CEO or from Human Resources. It
states the employee has been laid off, and please click on this link
so you can claim your severance pay. The link leads to a page that
looks just like the company website and asks for the first name, last
name and SSN# to verify who they are and make sure that they are in
the queue for severance. Double whammy: the PC is infected and the
employee's identity has been compromised.
2) "Free Dinner At Your Favorite Restaurant". The CEO of a company is
singled out for a spear-phishing attack. The attackers do their research
using social media and find that the CEO is active in an anti-cancer
charity as one of the CEO's family members is a survivor. They also
figure out that the CEO has a favorite restaurant about 20 miles away.
They spoof an email from the charity's chief fund-raiser with an
attached PDF that promises a free dinner and please open the PDF with
the new fund raising campaign they need feedback on. One click, the
PC is infected and the network compromised. (Hat Tip to Chris Hadnagy.)
1) "We've been sued". Bad guys go to your company website, look at the
'Executive Team' page and find out who is your In-House Legal Counsel.
Then they do a deep search on the Internet for all email addresses of
your company and find out the address conventions (e.g. first letter
first name, followed by last name). Then they spoof the email address of
your counsel, and attach an infected PDF that pretends to be about new
or pending litigation and send it to two or three execs. They open it and
bingo, your network is compromised.
Attacks like this happen all the time. There are still many organizations
that do not have Sender Policy Framework (SPF) enabled. Having SPF
configured correctly blocks most spoofing attacks in the examples
above. And of course Security Awareness Training for all staff,
especially the execs is a -must-, as they are prime targets. Here is
a link to more data on SPF:
http://en.wikipedia.org/wiki/Sender_policy_framework
Related Pages: Spear Phishing
