SPEAR PHISHING – Targeted phishing for “big fish”. The greatest threat to your organization.

Back to my childhood fishing stories, they really do tie in here as well.  I can remember going to a fast stream to go fly fishing for Rainbow Trout and Specks as they are called. I remember seeing these kids standing on the rocks right at a large pool just near the fastest water. Someone had a spear in their hand, they were targeting, then spearing the largest and juiciest trout in the stream. I thought that just isn’t fair.  They did their research and they knew where the largest, the best fish would be and using a spear they could precisely target the ideal fish to give them the greatest reward for their efforts.

Let me introduce you to a tactic which cyber-criminals use called ‘ Spear Phishing’, this is where the criminal identifies the big fish and goes after the juicy reward. They learn about the organization they are targeting, and they learn who the “big fish” is (CEO, the boss etc.) and who the persons are that report to them. This reporting person would hold the keys to the kingdom. Busy Executives sometimes have a very direct language in their email – a command language (Terse and to the point).  They might also be intense people and not very forgiving of those who do not follow their instructions precisely. 

These emails come in as requests (demands) for Company Personal Identifiable Information (PII), like the issue that happened at Sprouts in California, where an email which appeared to be from the CEO asked for the list of all employees with all data (Employee SIN/SSN, address, etc.). The Director of HR personally sent the information for all 28,000 employees to the Phishing person whom he thought was the CEO.  He just caused a major privacy issue for this organization by simply following what he thought was a command request from his superior. This is what is known as a spear-phishing email.  Another spear-phishing example where a CFO received an email from the president informing them to wire $250,000 to a bank account as he just finished a deal.  The email purportedly told the CFO, “you know I am at this conference, and have limited access to email, please do not delay this deal needs to be closed today!”  What are people in these positions expected to do? 

It is important that we put in place checks and balances to ensure that these demands being made in the email are true. As busy executives, we need to understand the risk and create a method for our staff to validate these requests. We need to educate and empower our staff to question the validity of these requests and have them validate our email addresses before they do anything.  Perhaps as executives, we need to inform our staff, we will not request large financial transactions be performed via email only.  Perhaps these types of transactions could be handled via telephone calls or have a “Please call me if you are not sure” policy.

We need to make it a priority to protect our organization from leaking confidential information and causing financial loss.  Protecting our organizations from Cybercrime is a team effort; that we in management must commit to educating ourselves and our staff on how to recognize both Phishing and Spear Phishing attacks. 

Stay Safe and Secure.
Jeff S Brodie
Managing Partner – Codefusion Communications Inc.