core sector communique

KnowBe4 Alerts Businesses to the Top 5 Spear-Phishing Scams Targeting Executives

Cybercrime Expert Stu Sjouwerman Outlines New Phishing Tactics Executives Need to Know and Advises Internet Security Awareness Training (ISAT) to Prevent Breaches

CLEARWATER, Fla., May 22, 2012 – According to Internet security expert Stu Sjouwerman, cybercriminals are using increasingly sophisticated spear-phishing scams to target business owners and executives with access to corporate financial accounts and other high-level proprietary information. As founder and CEO of the Internet Security Awareness Training (ISAT) firm KnowBe4, Sjouwerman (pronounced “shower-man”) tracks evolving security threats and has made it his mission to educate clients and the public on how to avoid them.

“While many cybercriminals will go after ‘low-hanging fruit’ and send mass emails to a large number of users, others have fine-tuned their approach and are using highly targeted spear-phishing tactics to go after executives with access to company bank accounts and internal databases,” said Sjouwerman. “These scammers do their research and spend time customizing their spear-phishing emails; as a result, many recipients are fooled by the level of detail and authentic-looking messages and websites.”

Here, Sjouwerman outlines the top five spear-phishing scams that are currently making the rounds among executives and business owners nationwide, and which pose a significant threat to data security:

1. Better Business Bureau Complaint – In this scam, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.
2. Smartphone Security App – With minimal research, cybercriminals can easily find the name and email addresses of a company’s senior management. Armed with the information, they can spoof an email from the CEO asking the CFO to click a link. Once clicked, it downloads a keystroke logger to the CFO’s computer. By this means, the hacker can obtain bank account information and passwords. If the bank uses two-factor authentication, the scammer simply spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually more malware. And with that, the cybercriminals have full access to the CFO’s account login credentials and control any two-factor text messages sent to the CFO.
3. Layoff Notice – This particular phishing tactic takes advantage of the current economic climate and targets employees. It begins with a spoofed email from the CEO or Human Resources informing recipients that they have been laid off, but that they are eligible for severance and unemployment benefits. Employees are asked to click a link to register for severance pay. The landing page looks just like the company’s website, and asks users to enter their name and social security number to log in. However, the website actually triggers a malware download to the user’s system; and if the victim enters any personal details, they are immediately at risk for identity theft.
4. Free Dinner in Return for Feedback – By reviewing an executive’s social media profiles, cybercriminals are able to determine what organizations that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of one of those charities or organizations, asking the recipient to download a PDF that supposedly contains details on an upcoming campaign or event, and promises free dinner at the local restaurant as an incentive for providing feedback. When the PDF is downloaded, it installs malware to the system – and gives hackers direct access to the network.
5. New Lawsuit – In this scenario, cybercriminals cull the email addresses of a company’s executives and legal counsel. They will then spoof an email from the legal counsel to the executive team, and attach a PDF that purports to contain information about new or pending litigation. When the recipients download the attachment, their system becomes infected and the entire network is compromised.

“While savvy Internet users realize they should not click links or download attachments from unknown senders, spoofed emails and official-looking websites trick recipients into letting their guard down,” explained Sjouwerman. “When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.”

While the examples covered here detail phishing tactics that target executives, or that target employees by spoofing an executive’s email account, they highlight the danger of spoofed emails in general. Cybercriminals recently gained access to the direct email marketing system of UK-based TicketWeb, and sent emails instructing recipients to click a link to download the latest version of Adobe Reader.* TicketWeb assured customers that their credit card information was not compromised during the attack. However, recipients who clicked the link were redirected to a malicious website that asked users to enter their personal information and credit card details.

“I would encourage all email users to get in the habit of thinking before they click, because cybercriminals’ spear-phishing emails are becoming increasingly indistinguishable from legitimate messages by known senders,” said Sjouwerman. “This ongoing threat emphasizes the importance of user awareness and education. By implementing company-wide Internet Security Awareness Training, enterprises can ensure their executives and staff know what to watch out for, and how to avoid falling prey to spear-phishing attacks.”

The company’s ISAT offering allows administrators to conduct ongoing security audits with scheduled phishing security tests, and provides before-and-after reports that show employees’ security awareness training results.

KnowBe4 also helps organizations determine their susceptibility to cyber attacks with several complimentary cybercrime prevention resources, including a free email exposure check (EEC) that reveals publicly available company email addresses cybercriminals can use to target staff.

About Stu Sjouwerman and KnowBe4

Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He and his colleagues work with companies in many different industries, including highly regulated field such as healthcare, finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.