KnowBe4 Alerts Businesses to the Top 5
Spear-Phishing Scams Targeting Executives
Cybercrime Expert Stu Sjouwerman Outlines New
Phishing Tactics Executives Need to Know and Advises Internet Security Awareness
Training (ISAT) to Prevent Breaches
CLEARWATER, Fla., May 22,
2012 – According to Internet security expert Stu Sjouwerman, cybercriminals
are using increasingly sophisticated spear-phishing scams to target business
owners and executives with access to corporate financial accounts and other
high-level proprietary information. As founder and CEO of the Internet Security
Awareness Training (ISAT) firm KnowBe4,
Sjouwerman (pronounced “shower-man”) tracks evolving security threats and has
made it his mission to educate clients and the public on how to avoid
them.
“While many cybercriminals will go after
‘low-hanging fruit’ and send mass emails to a large number of users, others have
fine-tuned their approach and are using highly targeted spear-phishing
tactics to go after executives with access to company bank accounts
and internal databases,” said Sjouwerman. “These scammers do their research and
spend time customizing their spear-phishing emails; as a result, many recipients
are fooled by the level of detail and authentic-looking messages and
websites.”
Here, Sjouwerman outlines the top
five spear-phishing scams that are currently making the rounds among
executives and business owners nationwide, and which pose a significant threat
to data security:
- Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.
- Smartphone Security App – With minimal research, cybercriminals can easily find the name and email addresses of a company’s senior management. Armed with the information, they can spoof an email from the CEO asking the CFO to click a link. Once clicked, it downloads a keystroke logger to the CFO’s computer. By this means, the hacker can obtain bank account information and passwords. If the bank uses two-factor authentication, the scammer simply spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually more malware. And with that, the cybercriminals have full access to the CFO’s account login credentials and control any two-factor text messages sent to the CFO.
- Layoff Notice – This particular phishing tactic takes advantage of the current economic climate and targets employees. It begins with a spoofed email from the CEO or Human Resources informing recipients that they have been laid off, but that they are eligible for severance and unemployment benefits. Employees are asked to click a link to register for severance pay. The landing page looks just like the company’s website, and asks users to enter their name and social security number to log in. However, the website actually triggers a malware download to the user’s system; and if the victim enters any personal details, they are immediately at risk for identity theft.
- Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what organizations that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of one of those charities or organizations, asking the recipient to download a PDF that supposedly contains details on an upcoming campaign or event, and promises free dinner at the local restaurant as an incentive for providing feedback. When the PDF is downloaded, it installs malware to the system – and gives hackers direct access to the network.
- New Lawsuit – In this scenario, cybercriminals cull the email addresses of a company’s executives and legal counsel. They will then spoof an email from the legal counsel to the executive team, and attach a PDF that purports to contain information about new or pending litigation. When the recipients download the attachment, their system becomes infected and the entire network is compromised.
“While savvy Internet users realize they should not
click links or download attachments from unknown senders, spoofed emails and
official-looking websites trick recipients into letting their guard down,”
explained Sjouwerman. “When executives receive a time-sensitive email that
appears to be sent by the Better Business Bureau, a fellow exec, their legal
counsel or an organization they support, most won’t think twice before clicking
because they trust the person they believe is the sender. That’s what
cybercriminals are counting on, and why they’re willing to invest the time to
create realistic-looking messages from familiar sources. They’ve discovered just
how effective these types of spear-phishing scams can be.”
While the examples covered here detail phishing
tactics that target executives, or that target employees by spoofing an
executive’s email account, they highlight the danger of spoofed emails in
general. Cybercriminals recently gained access to the direct email marketing
system of UK-based TicketWeb, and sent emails instructing recipients to click a
link to download the latest version of Adobe Reader.* TicketWeb assured
customers that their credit card information was not compromised during the
attack. However, recipients who clicked the link were redirected to a malicious
website that asked users to enter their personal information and credit card
details.
“I would encourage all email users to get in the
habit of thinking before they click, because cybercriminals’ spear-phishing
emails are becoming increasingly indistinguishable from legitimate messages by
known senders,” said Sjouwerman. “This ongoing threat emphasizes the importance
of user awareness and education. By implementing company-wide Internet
Security Awareness Training, enterprises can ensure their executives
and staff know what to watch out for, and how to avoid falling prey to
spear-phishing attacks.”
The company’s ISAT offering allows administrators to
conduct ongoing security audits with scheduled phishing security tests, and
provides before-and-after reports that show employees’ security
awareness training results.
KnowBe4 also helps organizations determine their
susceptibility to cyber attacks with several complimentary cybercrime prevention
resources, including a free email
exposure check (EEC) that reveals publicly available company email
addresses cybercriminals can use to target staff.
About Stu Sjouwerman and
KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which
provides web-based Internet Security Awareness Training (ISAT) to small and
medium enterprises. A data security expert with more than 30 years in the IT
industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning
anti-malware software company that he and his partner sold to GFI Software in
2010. Realizing that the human element of security was being seriously
neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics
through advanced Internet
security awareness training. He and his colleagues work with
companies in many different industries, including highly regulated field such as
healthcare, finance and insurance. Sjouwerman is the author of four books; his
latest is Cyberheist:
The Biggest Financial Threat Facing American Businesses Since the Meltdown of
2008.
1 comment:
Great post. I was checking constantly this blog and I am impressed!
Very helpful info specifically the last part :) I
care for such information a lot. I was looking for this particular information for a very long time.
Thank you and best of luck.
Also see my page - silverprices247.com
Post a Comment