A few weeks ago we talked about the recent increase in phishing, which was documented in the latest report from APWG. There's a new article out on Threatpost about a phishing scam that went undetected for about five years because it was so low-level. In this post, our research scientists talk about one of the latest phishing scams to come across their systems. They also offer up some great tips on how to avoid becoming a victim. This post was submitted by Michael Van Pelt, John Sparry, and Michael Blakesley.
Our researchers have been seeing more spear phishing attacks in which the attacker targets a company’s finance department. The idea behind the attack is to get someone in finance to wire money to the attacker’s bank account. The attackers do their homework: they know who is authorized to make and send wire transfers on behalf of the company.
The most recent of these spear phishing attacks looks like this:
Hope you are having a splendid day. I want you to quickly email me the
details you will need to help me process an outgoing wire transfer to
I will appreciate a swift email response.
President O. Company
The “From” is the real name and email address of the company president. The email is to the corporate controller, addressing her by name.
The Reply-To, of course, goes to the thief.
Unlike some previous attacks like this, where the thief asked for a wire transfer of a specific amount to his account, this enterprising crook is trying to get access to drain everything in the company's account.
The takeaway from this is to make sure everyone in a position of financial responsibility in the company knows to NEVER, under any circumstances, transact anything like this merely on the basis of email. Always verify offline.
At the very least, do not click reply to any such email request. Instead, click “forward”, and type in the recipient address yourself.
Absolutely do not copy and paste the address from the email you received, because that address may be subtly altered in a way that you might miss. For example, in some fonts, “rn” may be difficult to distinguish from “m”, so the Reply-To and From addresses could be “firstname.lastname@example.org” instead of “email@example.com“. There are many obfuscation tricks, and the crooks know them all. Make sure the email is really addressed to the proper person's corporate email account, not to a bogus mail drop somewhere else.
Furthermore, those in a position to make legitimate financial requests need to fully understand and sign off on the policies stating that there are no exceptions: No matter how important they believe it to be, it is never acceptable to use gmail, hotmail, etc. to transact this kind of business. It must be done only through appropriate channels.
To further protect yourself from spear phishing, deploy content security and email security solutions. The Barracuda Web Filter, Barracuda Email Security Service, and Barracuda Spam Firewall, are all designed to provide protection against spam, malware, and attacks like spear phishing. All are available for a risk-free 30-day trial.