Five Ways to Guard Against Cyber Attacks via Spear Phishing

Don’t become the next catch of the day!

Cybercrime is estimated to cost U.S. consumers a total of 21 billion dollars a year. And another $400 billion in intellectual property is lost annually.

That’s a lot of money. And even if you think your system is completely secure, cyber criminals have found a way in. This past February the Scoular Co., an 800-employee commodities trading company, lost $17.2 million to cybercrime over a five-month period. How did the criminals get away with it? Through a series of simple emails.

How do these cyber criminals get away with so much money using what seems to be such an unsophisticated system? The numbers show, pretty easily. The tactic, called “spear phishing,” “business email compromise (BCE) scams,” “CEO fraud,” or “man in the middle” schemes, is widely used because emails are the easiest path of entry.

The Scam

The attacker most often uses social media to identify high-level executives within the company and find other lower-level employees he can send his emails to. Identifying the correct email address is as easy as trying variations of the employee and company names. Once an employee responds back, the phisher has the correct email address format and, even more important, the company’s branded signature line. Armed with this information, he begins sending out bogus emails that mimic the company’s real email.

The phisher is after one of three things: payroll data, wire transfers, or passwords and logins.

Payroll Data

To obtain payroll data, the attacker poses as the CEO or CFO sending emails to the HR manger, HR employee, payroll manger, or payroll employee. The email states that the CEO/CFO wants to audit all employees’ pay, and requests that all W-2s be forwarded to him for review. This information can then be used for bogus tax filings, netting the phisher a tidy sum and leaving your employees with a real IRS headache.

Wire Transfers

Again, the attacker poses as the CEO or CFO. This time the emails are sent to someone in accounting requesting that a wire transfer or series of wire transfers be sent to a particular company or bank. This is the scam that cost Scoular Co. that $17.2. million.

Password & Logins

The phisher poses as a high-level executive or the recipient’s direct supervisor. The recipient’s password and login are requested because the sender needs access urgently, and cannot wait for IT to fix the problem with his own login. Once the attacker has this information, he is able to obtain access to restricted data.

Protect Yourself

Here are five effective ways we’ve found to protect your company from spear phishing:

1. Use a Verbal Password

Institute a company-wide verbal password that must be given to anyone from whom sensitive information is being requested, and then train your people to require it. When a request is received via email, the recipient only has to respond asking for the password, which the attacker won’t be able to provide.

2. Implement a Quality Spam Filter

A quality spam filter, such as products offered with Executech’s Office 365 offering,, will check messages for characteristics consistent with spam, and check the reputation of the sender before allowing a message through.

3. Block Certain Countries from Sending You Email

Take your security one step further by installing a spam filter that allows you to block emails sent from certain countries. It’s not a secret that the bulk of phishing emails come from certain countries. And while phishers may be able to spoof a company email address, they can’t change or block the portion of their IP address that discloses its origin.

4. Only Allow Company Email from the Authoritative Server

One of the best ways to guard against phishing emails is to block any company email that does not come from the authoritative server.  Only allow email addresses from that server to send email to your domain. This blocks email that doesn’t come from your server. Just like attackers can’t change or block their country of origin, they can’t spoof what server their emails are coming from either.  An example of this would be that an email from [email protected] is sent to him by someone spoofing it from outside his server.  In this case, if we only allow email from to come from the authoritative server, it would notice this spoof was not sent from the authoritative server; hence blocking it.  There may be some minor whitelist adjustments when there are some exceptions, but for the most part all email to your domain should come from the authoritative server.

5. Change Your Mentality—It Could Happen to You

If you think your business is too small for attackers to target, think again—59% of all spear phishing attacks are aimed at small- to mid-size business. And according to some statistics, roughly 60% of those small business go out of business within six months of the attack.

It is important to remember that by itself, no one action is enough to ensure 100% protection from cyber attackers. Cyber security is most effective when it is built in layers. Take time today to sit down with an IT professional and evaluate your email policies, procedures, and systems to identify ways attackers could get in and the most effective ways to protect yourself. Executech offers free assessment to anyone interested in discussing these topics more:  Don’t become someone else’s catch of the day!

Related Insights