Posted by: Robin "Roblimo" Miller
app, baddies, CEO, CFO, CTO, executives, fake, identity theft, insecurity, IT, malware, phishing, smartphone, spear-phishing, spoof, threat
You’ve Closed Your IT Security Holes, but What About Your Bosses?
Here you are, Mr. or Ms. Totally Skilled IT Security Honcho, detecting intrusions before they happen and using cloud-based digital antibiotics to eliminate Windows funguses before they infect your systems, but you still have bosses, and they can be major points of malware infection and other IT insecurities — unless you take the time to train them about baddies who specifically go after them using spear-phishing tactics.
Plain old phishing is bad enough. Spear-phishing is worse because it specifically targets (like a spear; get it?) executives and business owners. This threat is common enough that there’s a guy in Clearwater, Florida, named Stu Sjouwerman who has made a business called KnowBe4 out of dealing with human security problems, including spear-phishing.
A prime example Stu gives us is the fake Better Business Bureau Complaint.
- In this scam, Stu writes, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.
Now, you would spot this phony pitch. But would your sales director? Or your warehouse manager?
- How about this one?
A Smartphone (pseudo)Security App – With minimal research, cybercriminals can easily find the names and email addresses of a company’s senior management. Armed with that information, they can spoof an email from the CEO asking the CFO to click a link. Once clicked, it downloads a keystroke logger to the CFO’s computer. By this means, the hacker can obtain bank account information and passwords. If the bank uses two-factor authentication, the scammer simply spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually more malware. And with that, the cybercriminals have full access to the CFO’s account login credentials, and control any two-factor text messages sent to the CFO.
- Or this one:
Layoff Notice – This particular phishing tactic takes advantage of the current economic climate and targets employees. It begins with a spoofed email from the CEO or Human Resources informing recipients that they have been laid off, but that they are eligible for severance and unemployment benefits. Employees are asked to click a link to register for severance pay. The landing page looks just like the company’s website, and asks users to enter their name and social security number to log in. However, the website actually triggers a malware download to the user’s system; and if the victim enters any personal details, they are immediately at risk for identity theft.
- Even better, what about a Free Dinner in Return for Feedback?
By reviewing an executive’s social media profiles, cybercriminals are able to determine what organizations that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of one of those charities or organizations, asking the recipient to download a PDF that supposedly contains details on an upcoming campaign or event, and promises free dinner at the local restaurant as an incentive for providing feedback. When the PDF is downloaded, it installs malware to the system – and gives hackers direct access to the network.
- And what about a notice that says you’re being sued?
In this scenario, cybercriminals cull the email addresses of a company’s executives and legal counsel. They will then spoof an email from the legal counsel to the executive team, and attach a PDF that purports to contain information about new or pending litigation. When the recipients download the attachment, their system becomes infected and the entire network is compromised.
Stu says, “When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.”
The only defense is training — not just once, but regular updates, too. As you might imagine, Stu’s company will happily help you with human security training — for a fee. But KnowBe4 also has a free Phishing Security Test you might want to take, and Stu’s book, Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008, only costs $21.99 in paperback and $9.99 for Kindle, which is not much to pay for solid insight into security holes you might not have thought about before.
And there’s always the “do it yourself” alternative: looking online for all the information you can get about phishing and other “human IT insecurity” problems, and coming up with your own, internal security course — and updates. You cannot forget the updates whether you work with someone like KnowBe4 or go it alone, because people will gradually forget what they learned in your security briefings, and will revert to their old, bad habits unless you stay on top of them regularly, not for just a month or two but forever.