This is a growing problem and if you’re curious what spear phishing is or if you haven’t heard about it, spear phishing is the fraudulent practice of sending emails or other messages. It could be a text message as an example, that appeared to be from a known or trusted sender, and is sent in order to induce the targeted individuals to reveal either confidential information about the organisation, to provide details that would allow a compromise of the network, or to execute a financial transaction. Most of the large spear phishing breaches have targeted wire transfers and financial transactions.
Many people may have heard of phishing attacks and they don’t know the difference between spear phishing and regular phishing attacks. At its most basic level, the difference between phishing and spear phishing is that phishing attacks aren’t tailored to the individual receiving the email or the message. Spear phishing attacks on the other hand, they target specific individuals within an organisation, they’re targeted because they can execute a transaction, provide data that’s targeted by the fraudster, and most typically they’re in the finance organisation so that they can execute for example a wire transfer. And there have been many, many examples of high profile spear phishing attacks that had led to significant financial loss.
The financial impact
One of the most famous data breach attacks with spear phishing was with Anthem, a US healthcare insurer. They settled a $115 million class action settlement. They had a data breach based on a spear phishing attack that allowed access to over 78 million healthcare records.
Ubiquiti Networks is another example. This one was with execution of international wire transfers. In this case, spear phishing induced the finance organisation to transfer 46 million to scammers internationally through the wire transfers. They were able to recover about 8 million of that 46.
There was an Austrian firm, FACC, that lost 50 million Euros and also resulted in the CEO getting fired. There was a Belgian bank, Crelan, that lost $75 million. Even some of the largest tech organisations are not immune to this type of scheme. Facebook and Google lost $100 million as reported in the past couple years.
Reports point towards billions of losses in 2018. Of course, you don’t always have the exact examples because not everything is public, but billions of dollars of losses in spear phishing attacks against businesses, primarily targeting financial transactions and wire transfers.
How spear phishing attacks work
Spear phishing, unlike phishing attacks, which target a large audience and are often distributed by botnets, targets very specific individuals within a financial department most typically. The hacker, the fraudster, will craft fake emails, other documents. As an example, they’ll craft an invoice from their setup company that they want the wire transfer to go to, and it will include wire transfer details, target accounts for the transfer of money, and they’re typically targeting the finance department of organisations.
The emails themselves look like they come from someone in their chain of management. They can often come directly from the CEO, from the CFO, appeared to come from the CEO or CFO or other high level employees and VPs within that organisation, with the authority to direct payment or wire transfers.
What it is really trying to do is take advantage of typical operations to trick employees into a sense of urgency where they will execute a transfer on behalf of one of their bosses, typically a very high level boss with a large transfer of money. In addition to wire transfers, they can also be electronic payments.
Preventing spear phishing attacks
There’s a variety of recommendations on how to combat these types of attacks. Most solutions that you’ll see out there focus on email security and education. From an education perspective, there’s employee education certainly within your finance organisation. They should be aware of these threat. There should be a process for vetting emails that they get, especially ones that have requirements around executing a financial transaction like a wire transfer.
For things that have a sense of urgency, there should be a process for verifying and vetting those request within the organisation. There’s also strong email security solution, secure email gateways that combat forged emails, that look for phishing emails, spear phishing emails, can also provide value.
From a policy perspective, it can be complimented by technology. One thing is employing a stronger authorisation process using authentication techniques for business financial transactions, where you can work with your bank to provide authorisation within their business apps, especially for wire transfers. And when you think about this, there got to be granularity around when you employ authorisation techniques. As an example, there should be financial thresholds for explicit approval. This might be £1,000, it could be £5,000 or £10,000, but whatever is normal within your organisation, where you need a stronger approval process where the threshold of risk is much higher.
There should also be out-of-band approval for financial transactions. When you’re executing a wire transfer that’s typically happens through banking app, maybe on the web, approval should come through a separate channel. For example, a mobile app is a good example of out-of-band approval.
One recommendation is multi-party approval. You can designate to individuals that have to approve transactions, let’s say over £10,000. And in those cases, you eliminate the concern around a single individual getting tricked. It would actually raise the threshold of the spear phishing attacks to target two individuals that would have approval process for wire transfer. You could have a manager that is in the approval process with individuals that also have the ability to execute transfers.
When you do that, it should be again in app for the out-of-band approval, and it should include details of the transaction itself. It should say who is it going to, what is the amount, so that these are communicated to both those individuals. It should utilise strong authorisation technology and authentication technology, it should have strong MFA capabilities. When you execute transactions with that, you also gain non-repudiation so you know exactly who executed it, and they can’t say that it was an accident or somebody else, and you can add in this multiparty capability.
Author: Scott Olson, VP of Product Marketing at iovation