Phishing and Spear Phishing: Targeted Email Attacks
Examples of Phishing Messages
You open an email or text, and see a message like this:
- "We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
- "During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information."
- “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
- The senders are phishing for your information so they can use it to commit fraud.
Phishing Affects Businesses, Too
Protect your business against phishing and wire transfer fraud.
It's a typical day at the office. An employee receives a friendly reminder email from a vendor they've known for years about an invoice coming due. The email is conversational, asks about the employee's recent vacation, and then reminds the employee that a late payment for the invoice could result in a 20 percent surcharge if not handled immediately.
The employee recognizes their account representative's name and email address, sees the vendor's branding in the email and submits the invoice for payment, without giving it another thought. But in their rush to avoid a late fee, they don't realize the email they just responded to is actually from email@example.com instead of firstname.lastname@example.org—the vendor's real email account.
In today's digital age of Facebook and LinkedIn, wire fraud schemes that rely on targeted email phishing have become increasingly common and sophisticated. By finding individuals who haven't enabled privacy features on their social media accounts and then using that publicly available data to craft believable, fraudulent emails, criminals trick businesses into quickly sending funds by creating fake, urgent situations. Frequently, victims don't realize they've been duped until they confirm the transfer of funds with a vendor or manager—when the money is already long-gone.
John, the CFO, receives an urgent email from his boss, the CEO, instructing John to immediately send a late payment to an out-of-state vendor. John emails back to his CEO confirming the transfer. After receiving confirmation, John emails his request to the bank. The bank calls John back to confirm and gives the green light. Later, John talks to his boss on the phone and learns the boss did not send the transfer request.
The Federal Bureau of Investigation warns that spear phishing, or more specifically, Business Email Compromise (BEC), is a financial fraud tactic that is “more sophisticated than any similar scam the FBI has seen before." It first appeared around 2013, but has since taken off. The average individual loss is about $6,000, and the average loss to BEC victims is $130,000. According to the FBI, since the beginning of 2015 there has been a 270 percent increase in identified BEC victims. This is largely due to the quick payment clearing timeline—which is much faster than ACH or check. Learn more on the FBI's website ›
To protect your business, ensure all employees handling payments for your business always:
- Validate new payment instructions received via email—even if the email is internal.
- Always double check that the email address is not a spoofed or altered version of a familiar email address.
- Pick up the phone, whenever possible, and speak directly with the individual requesting a funds transfer.
- Contact the vendor or client directly to confirm any requests for payment method changes, validating the changes are legitimate before processing.
- Carefully review all payments before they are sent and ensure all correspondence is validated and documented in a unified way across your business.
Training your staff on the ways that fraud is evolving is critical. In the fight against fraud, a little knowledge goes a long way.