Spear Phishing And The Importance of Constant Vigilance
Earlier this week I received an email from Rick, our CEO, asking me to get ready to send a wire payment out.
My first thought was, “Oh, how much is this going to be? S***, wires are such a pain to send, but hopefully won’t have an impact on our cash forecasting.”
As the Controller at a fast growing tech company, my biggest priority is cash forecasting. (Other top priorities are organizing groups to go out for lunch, and also maintaining my status on the ping pong leaderboard).
I replied back to Rick
Obviously when you receive emails from the CEO, you move fast to respond and execute. Jump? How fast and and how high? Sir?! Yessir! I opened up the attachment to see the details of the payment and see whether the amount would materially impact my cash projections.
The below is basically a stream of my thoughts after opening the attachment.
“HOLY CRAP!! ITS FIFTY SIX THOUSAND DOLLARS!!
“Why is Rick doing this to me?
“Oh f***, this is going to mess up my cash forecast for sure. Jeez. Cmon! What is this even for? Seriously??? 56K? This is one pricey consultant.
“Sigh. I wish he would’ve told me about this ahead of time.
“Sigh, ok well, lets get to the bottom of this.”
I printed out the attachment and brought it to our COO, Sascha, and asked him if he knew anything about this large payment that Rick needed to have performed. He said no, so I showed him the attachment. He was generally silent other than the audible exhale of air I took to be a sigh and shared expression of concern of the impact on our cash projections.
We chatted about it a bit more and googled the name of account holder to see what we could dig up. Top result was a record breaking pumpkin grower!
I told Sascha I would phone Rick to find out more about this payment before doing anything else as it could be a small chance this was a spoofed email. The possibility entered my mind as it was just SO weird, but it seemed like a legit email from Rick. I went back to my desk to pull up the email again. I typed in Rick and gmail autofilled the searchbar.
The email wasn’t there.
I opened up my sent mail as I knew I had already replied to it asking for details.
There it was. I clicked it and looked at the email header.
SNEAKY BUGGERS it’s a freaking spear phishing attack!!
I immediately alerted the accounts payable team and our security team.
Everything, and I mean EVERYTHING, looked so perfect: short, to the point, email direction. Emails from the CEO directing a payment are common so that wasn’t a red flag by itself. Even the size of the payment by itself was not by itself a red flag. The Fraudsters also had a bit of luck on timing, since our CEO was out of office this week. Only when all of it was taken together was it enough to stop us from sending fifty six grand to a record breaking pumpkin grower.
The Fraudsters continued their attack with pressure tactics.
These fraudsters are tenacious.
Why did this ALMOST work?
I would argue spear phishing is one of the most difficult to detect methods of external factors financial fraud around. Let’s look at some of the tactics this fraudster put into practice.
On first glance, it REALLY looked like it was from our CEO. In today’s digital age, it takes 10 seconds to load LinkedIn and find an organization’s corporate hierarchy and then put names to titles.
Chain of Command
I would automatically assume a Controller or Director of Finance would jump when the CEO fires an email directly at you. Depending on the size of the company, some people in my position might not think twice when sending a $56k wire payment.
Unbounce has grown quickly in the last 1.5 years I have been here (43 to 110 FTE in 1.5 years aka 255% growth). A company of this size could conceivably have a disconnected Finance Controller who just does what he’s given, no more, no less. Not all companies have strong internal controls to ensure proper payment procedures.
Fraud can happen to ANYONE. I was fortunate this time that I sniffed out enough clues and continued to question the direction coming from the CE(faux) that led me to discover the fraud.
Spear phishing and other types of targeted fraud are designed to prey on human nature. If you are the victim of spear phishing, you shouldn’t kick yourself, but instead focus on how you can prevent this from happening in the future.
Internal Control Best Practices for Finance
-What is this payment for? What service/goods provided? Does the amount make sense (value for money)?
– Who’s the vendor? Have you worked with them before? Any prior payments?
– Who sent the invoice? Do they have authority to be sending this type of expense? Does the expense type match their business area?
– Two persons to sign for wires/cheques separate from the cheque preparer if possible. Helps to get a guaranteed second and third set of eyes.
Cyber Security is EVERYONE’s Job.
Phishing is a pretty common occurrence and we all know not to send money to the Nigerian Prince, but Spear Phishing is SO tricky and can easily catch anyone. Remember cyber security is not just the job of the IT team, but everyone’s responsibility. #OPSEC
Some other pro-tips:
- dont plug in random USB keys
- turn on 2-factor authentication
- use a LONG password
- use a password management tool (i heart lastpass)
- security questions? Don’t use real facts. LIE. (for example Q: What high school did you attend? A: Hogwarts. Q: Mom’s maiden name? A: Spiderman)
- Can use aforementioned password management tool to document your ‘false’ security answers.
Other Scams to be aware of
Spear phishing is but one facet of the many-faced god we can Fraud. Some other ones to keep an eye out for include, but not limited to:
- penalty/fee from ‘government’ organization
- a bill to ‘register’ your trademark
- fake change of address/legal name requests (often sent on letterhead and is hard to spot REALLY sneaky because looks like an existing vendor)
- bill from a vendor you have never dealt with before, but it’s overdue so creates urgency & pressure to pay
Dealing with fraud and cybersecurity is not just the CSO’s job, it requires everyone to have a security conscious mindset.