For a small to midsize business in Middle Tennessee, cyber security may not even make a list of the organization’s top 10 concerns. After an attack, a company’s first regret is not prioritizing it sooner.
What you spend your time worrying about—clients, revenue, innovation—these can all be compromised by a single cyber security breach.
Spear phishing, which is increasingly becoming one of the most common and destructive threats to cyber security, has targeted many Nashville companies, mine included.
Spear phishing is an email spoofing fraud that initiates unauthorized sharing of confidential data or finances from a business. It’s hardly ever random. In fact, perpetrators seeking financial gain, trade secrets or military plans only act after extensive research.
They tend to go after C-Level executives with decision-making power. It’s wildly lucrative, with a recent scam successfully stealing $46 million from a well-esteemed tech company in California. The cyber breaches are not a consequence of reckless executives, but an ode to the sophistication and cleverness of the scam’s design.
How does it work?
In traditional phishing scams seeking money, the thief interacts with the victim’s bank directly, but with spear phishing, the crook tricks the victim into handling the transfer for him.
Thieves begin by phishing a company executive to acquire sensitive information. For example, an email may direct the executive to a website where she is prompted to update personal information. The imitation website then captures the inserted data.
The perpetrator will use the material to then access the individual’s email and send messages to other employees in the company from a look-alike domain name that is varied by one or two letters from the true domain name. For example, if the company’s domain name was “unhackable.com,” the thieves may register as “unhackab1e.com” and send messages from that domain.
The criminals can forge the sender’s email address displayed to the recipient so that the email appears to be coming from the correct name. However, the reply-to address is the spoofed domain. This way the replies are sent to the fraudster.
What can you do?
Adopt two-factor authentication
The FBI advises businesses to use two-factor authentication, a process where the individual provides two components of identification. This method adds an extra layer of security to accessing email.
Be careful on social media
Businesses should be wary of what information they are posting about employee activities on their websites or social media. Attackers will use any information they can to learn more about the executives they are targeting, like when they’ll be in or out of the office.
Enable Sender Policy Framework (SPF) checking
Email rules can be configured in your mail server or spam-filtering software to block spelling variants of an organization’s domain.
Make sure money is never transferred following an email prompt. In any circumstance where you are exchanging money or company data, always ask for a second form of verification, like a phone call.
Bring in an IT consultant to run your company through training and phishing simulation. For one corporation, initial training decreased their click rate on phishing scams by 39%. Knowing what to look for can thwart a multitude of disasters.