8 posts in this topic

Posted

Spam emails that try to solicit personal information, known as phishing, are taking advantage of corporate servile culture with messages feigned to resemble that of a company CEO, addressed to the firm's executives.

"Someone will spoof an email to the CFO or controller and it will purport to be from the CEO," Christopher Novak, managing principal and security expert at Verizon Business told American Banker. "The email will say something like, we need to sponsor this event or pay this vendor, it's urgent and I need you to wire $100,000 into this account immediately, we're already 30 days late. Because it's from the CEO, other staff will expedite the request."

Andrew Valentine, a security expert and principal with Verizon Enterprise Solutions, said he has seen large number of cases in which a CEO gets an email that looks to be from the CFO, or a similar variation.

"Ninety-five percent of the cases originating from China start with just this kind of attack," Valentine said. "It's one of the reasons I hate the phrase 'Advanced Persistent Threat,' or APT. There's nothing advanced about a phishing e-mail."

 In one instance at an engineering firm, Valentine said, an executive was the target of a phishing attack with an email addressed from the company CFO.

"The CFO's name was spelled incorrectly, it was a Yahoo email address rather than an internal one, and you had to double-click on a zip file attachment," Valentine said. "There were so many red flags that he shouldn't open it, but people will click on phishing messages."

But Valentine said phishing email victims are not necessarily "gullible. I think very smart and capable people fall for phishing attacks," he said.

But when people receive a couple hundred emails in an eight-hour period or less, their level of scrutiny may decrease.

"In one case, the CFO happened to have lunch with the CEO and said, just out of curiosity, who was that merchant you had us expedite the wire transfer to?" Novak said, describing one example. "The CEO said, 'What are you talking about?' The blood drained out of the CFO's face and he said he had to go. We've seen more than a dozen of those happen in the last week. Probably over $10 million has moved in the last week because of this."

 The recent spate of spear phishing attacks on financial services personnel demonstrates the increasing level of sophistication of identity thieves and the inevitability of individual and institutional compromise, said Adam Levin, co-founder and chairman of Identity Theft 911.

He says the "only intelligent way" to respond to such attacks is to design and implement more sophisticated security protocols.

"Companies should also step up training programs to help employees better spot potential fraud and to drill into them that under no circumstances should they provide any personal identifying information on any website or to any third party without corroboration from supervisors and/or trusted third parties," Levin said. "As identity thieves count on moments of confusion or distraction, such as time pressures, no wire transfer or [automated clearing house] of any significant amount should be initiated without protocols requiring more than one authorization and a time frame longer than 'right now.'"

source

Share this post


Link to post
Share on other sites

Posted

What kind of vegetable would transfer $100,000 based on an email alone?

4 people like this

Share this post


Link to post
Share on other sites

Posted

What kind of vegetable would transfer $100,000 based on an email alone?

 Vegeterians

1 person likes this

Share this post


Link to post
Share on other sites

Posted

What kind of vegetable would transfer $100,000 based on an email alone?

A Tomato.

Share this post


Link to post
Share on other sites

Posted

Most companies aren't even using SPF & DKIM to authenticate their own emails. You can probably spoof the "From" header with impunity.

Share this post


Link to post
Share on other sites

Posted

I could see a high up officer in a company getting one of these emails, not wanting to be bothered and forwarding it to his underling, and just saying 'take care of this'...  the underling wanting to look good, does the rush transfer without verifying anything, and boom!  money gone.....

Share this post


Link to post
Share on other sites

Posted

E-mails should at least include an authentication secret code if there is any money involved.

Share this post


Link to post
Share on other sites

Posted

What kind of vegetable would transfer $100,000 based on an email alone?

more like moron instead of a veggie.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.