March 27, 2021

EOC Bootcamp #7: All the Phish in the Sea

8hv_5A-gEDIT

-Written by David Whittier

Scammers are getting better.

I don’t mean that they are improving in their ethics.  I mean they are becoming more effective in their attempts to get money from us, and we need to be more vigilant in order to make sure our hard-earned dollars stay in our pockets.

I was once the Executive Director for a non-profit organization with a great staff.  They were hard working and dedicated and would happily do what needed to be done to support the organization.  So, I was a little bit concerned when I got to the office one Monday morning to have one of the staff come up and apologize.

“What are you sorry about?” I asked.

“Well, I wasn’t able to get you the gift cards you asked me to buy over the weekend. You know, that email you sent.”

Uh-oh.

I didn’t ask anyone to buy any gift cards.  I asked if she could send me the email.  Sure enough, she had received request from me, saying I was busy in a meeting and couldn’t talk, but could she go out and buy $200 worth of ITunes cards for a client and I would pay her back.

There’s a name for this sort of scam: spear phishing. It’s where the scammer specifically identifies a recipient (hence the “spear”) for the scam, rather than sending out a generic email to who knows how many addresses.  The experience we had is an example of a specific type of spear phishing, called the “CEO scam”, where the scammer tries to impersonate a senior member of the organization in order to get money or valuable information.  And it’s not trivial.  Losses around the world to this kind of scam are in the billions

How can you spot a spear phishing attack?

  1. Check the email address. Many have a domain name that is close to yours, but not exact.
  2. Look for a generic subject line.  I don’t put “Hello” as the subject of many of my emails, for example.
  3. The greeting may be generic or out of place.
  4. Requesting gift cards or funds transfers, by email, without any sort of additional context is unusual.
  5. Scammers will often try to create a fake sense of urgency to get people motivated to obey.

Social Engineering is one of those cases where the biggest weakness in a company’s IT Security posture is its employees.  Take the time to train your people to recognize these sorts of scams and have procedures in place for when they occur.  The well being of your company depends on it.