Back to my childhood fishing stories, they really do tie in
hear as well. I can remember going to a
fast stream to go fly fishing for Rainbow Trout and Specks as they were called.
I remember seeing these kids standing on the rocks right at a large pool just
near the fastest water. Someone had a spear in their hand, and they were
finding then spearing the largest, juiciest trout in the stream. I thought that
just isn’t fair. They did their research
and they knew where the largest, the best fish would be and using a spear they
could precisely target the ideal fish to give them the greatest reward for
Let me introduce you to a tactic which cyber-criminals use call Spear Phishing, this is where the criminal identifies the big fish and goes after the juicy reward. They learn about the organization they are targeting, and they learn who the “big fish” is (CEO, the boss etc.) and who the person is that reports directly to them. This reporting person would hold the keys to the kingdom. Busy Executives sometimes have a very direct language in their email – a command language (Terse and to the point). They might also be intense people and not very forgiving of those who do not follow their instructions precisely.
These emails come in as requests (demands) for Company
Personal Identifiable Information (PII), like the issue that happened at
Sprouts in California, where an email which appeared to be from the CEO asked
for the list of all employees with all data (Employee SSN/SIN, address, etc.).
The Director of HR personally sent the information for all 28,000 employees to
the Phishing person whom he thought was the CEO. He just caused a major privacy issue for this
organization by simply following what he thought was a command request from his
superior. This is what is known as a spear phishing email. Another spear phishing example where a CFO
received an email from the president informing them to wire $250,000 to a bank
account as he just finished a deal. The
email purportedly told the CFO, “you know I am at this conference, and have
limited access to email, please do not delay this deal needs to be closed
today!” What are people in these
positions expected to do?
It is important that we put in place checks and balances to ensure that these demands being made in email are true. As busy executives we need to understand the risk and create a method for our staff to validate these requests. We need to educate and empower our staff to question the validity of these requests and have them validate our email addresses before they do anything. Perhaps as executives we need to inform our staff, we will not request large financial transactions be performed via email only. Perhaps these types of transactions could be handled via telephone calls or have a “Please call me if you are not sure” policy.
We need to make it a priority to protect our organization from leaking confidential information and causing financial loss. Protecting our organizations from Cyber Crime is a team effort which means we as the management must be committed to educating ourselves and our staff on how to recognize both Phishing and Spear Phishing attacks.
Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.
Have questions? Book a fee consultation call with us?