SPEAR PHISHING – Targeted phishing for “big fish”. The greatest threat to your organization.

Businessman protecting piggy bank with sword and shield. Conceptual business illustration. Isolated

Back to my childhood fishing stories, they really do tie in hear as well.  I can remember going to a fast stream to go fly fishing for Rainbow Trout and Specks as they were called. I remember seeing these kids standing on the rocks right at a large pool just near the fastest water. Someone had a spear in their hand, and they were finding then spearing the largest, juiciest trout in the stream. I thought that just isn’t fair.  They did their research and they knew where the largest, the best fish would be and using a spear they could precisely target the ideal fish to give them the greatest reward for their efforts.

Let me introduce you to a tactic which cyber-criminals use call Spear Phishing, this is where the criminal identifies the big fish and goes after the juicy reward. They learn about the organization they are targeting, and they learn who the “big fish” is (CEO, the boss etc.) and who the person is that reports directly to them. This reporting person would hold the keys to the kingdom. Busy Executives sometimes have a very direct language in their email – a command language (Terse and to the point).  They might also be intense people and not very forgiving of those who do not follow their instructions precisely. 

These emails come in as requests (demands) for Company Personal Identifiable Information (PII), like the issue that happened at Sprouts in California, where an email which appeared to be from the CEO asked for the list of all employees with all data (Employee SSN/SIN, address, etc.). The Director of HR personally sent the information for all 28,000 employees to the Phishing person whom he thought was the CEO.  He just caused a major privacy issue for this organization by simply following what he thought was a command request from his superior. This is what is known as a spear phishing email.  Another spear phishing example where a CFO received an email from the president informing them to wire $250,000 to a bank account as he just finished a deal.  The email purportedly told the CFO, “you know I am at this conference, and have limited access to email, please do not delay this deal needs to be closed today!”  What are people in these positions expected to do? 

It is important that we put in place checks and balances to ensure that these demands being made in email are true. As busy executives we need to understand the risk and create a method for our staff to validate these requests. We need to educate and empower our staff to question the validity of these requests and have them validate our email addresses before they do anything.  Perhaps as executives we need to inform our staff, we will not request large financial transactions be performed via email only.  Perhaps these types of transactions could be handled via telephone calls or have a “Please call me if you are not sure” policy.

We need to make it a priority to protect our organization from leaking confidential information and causing financial loss.  Protecting our organizations from Cyber Crime is a team effort which means we as the management must be committed to educating ourselves and our staff on how to recognize both Phishing and Spear Phishing attacks. 

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.
Have questions? Book a fee consultation call with us?

PHISHING is not always so obvious! However it is a big area of risk for your organization!

I remember as a child I would go with my brothers to find fishing worms. We knew the pickerel liked worms, and we always had luck catching them in our favorite fishing hole behind our house on the river.  My dad, on the other hand, would take those small colored marshmallows along when he went fishing for lake trout. Apparently, lake trout also like those little colored marshmallows! My dad had great luck using marshmallows as bait (I bet satisfying his own sweet tooth as well). The key to catching fish is to know what they like and have let them take the bait.

In the Cyber Security world, Phishing for information is very similar to fishing.  Phishing is using something someone will bite on (eg. click on, log into) to give up useful information, like credentials, to the people Phishing. Cyber criminals know where their prey is, know what they are likely to bite on and have a mechanism to collect that information. 

Cyber criminals have the sophistication and intelligence gathering operations to be highly effective at obtaining highly sensitive credentials and access financial transactions.

Phishing today can be difficult for people to identify, especially when the victims are targeted well. I was nearly fooled when I was quickly skimming over messages and I saw an email from a an industry colleague that had a link to news about the latest cyber threat, I clicked on it only to see my Security tools popup and block that action! BUSTED! What saved me was having the latest security tools (intelligence driven tools backed by deep learning and analysis). Tools like this are essential to protect us in today’s crazy world. 

Cyber criminals are very sophisticated, and they have intelligence gathered on their audience and know what they will bite on. I saw a good example on Facebook in September where a message came in my messenger with a link to a video where the caption was “Is this you?”. Then when you clicked on the link you needed to “log into Facebook” (on a mimicked Facebook site designed to steal your credentials) to access the video.  Many people ended up handing over their Facebook user name and password.  Very effective on a social media platform where people are anxious to see what their friends are sharing of them.  (You need Multi-factor authentication – more on that in a future post).

We need to recognize Phishing as serious threat. Do you have the training material to educate yourself and staff to identify phishing emails/sites and take appropriate actions? Is this overwhelming and frustrating?  Feel free to reach out to me and my team. We would be happy to have a conversation with you about Phishing.  We can demonstrate training and testing platforms which you can use to protect your organization.

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.
Book a fee consultation call with us?

Are you teaching your employees to keep their eyes open? Cyber Security Awareness Training.

The US FBI Agency has issued a Public Service Announcement on High Impact Cyber Attack Warning and the threat it poses to their nation security and business world.

October has been dedicated as Cyber Security Awareness month.  Cyber is all things digital, all things connected which means office, the internet, telecommunications, video streaming and you got it, even the traffic systems.  While automation in a digital world has provided us many conveniences like instant communications around the globe, the latest information on world economics and when your child has arrived at school through GPS tracking of smart phones.  There is two sides to the blade, so to speak, one is good and one side can be devastating, the question is how do we protect ourselves?

I recall in a Karate lesson where our Sensei said a punch doesn’t hurt any less with your eyes closed. However, with your eyes closed you do not have an opportunity to avoid that punch nor do you have an opportunity to counter that move.  Cyber Security awareness month is about keeping your eyes open and realizing that we are dealing with an ongoing attack coming from all sides.  The best defense is not just a good offense it is truly a good understanding of what the threat is.  Our best defense is a prepared and trained front line.  Our employees are the front line dealing with these threats, and unless we as leaders take an active role in helping them get educated, there will be holes which can and will hurt us.

Use October to help your team get educated about Cyber Security and how to spot an attack.  Not everyone will get it right the first go around, however raising awareness in your organization is the first step to protecting your company.  Education along with a sound Cyber Security strategy including tools and monitoring will help to fortify your organization against common attacks.  This reminds me of an old saying “An ounce of prevention is worth a pound of cure.”

Stay Safe and Secure.

Jeff S Brodie, Managing Partner – Codefusion Communications Inc.

Welcome to Codefusion Blog

Hello there. Our blog will contain information about Cyber Security, Applications, tutorials and other useful tidbits.