Vulnerability management and how to combat spear phishing

By Ryan Barton | August 25, 2015

This week, our CFO received an email from me asking for assistance sending funds through a wire.

Only problem?

It wasn’t me!

It was an example of an increasingly common phenomenon called spear phishing.

As long as email has been around, there have been scams. Some have just been for fun (bonus points if anyone remembers the email chain in the early 90s that said “Bill Gates wants to see how many people are using email and will give you $100 if you forward this email.” As a kid, I fell for it. Some have carried viruses, some have preyed on the gullible (desperate Nigerian princes needing safe harbor for their millions). Most recently, in July 2017, Verizon experienced a breach that could have led to hundreds of spear phishing emails.

Most of us know a phishing email when we see one. It appears legitimate at first, coming from the IRS, a large retailer, or our bank, but it’s clearly trying to scare us into divulging personal information, and the links lead us to very strange places.

A spear phishing email is more difficult to spot – it’s designed just for you. It’s an email crafted for just one person, imitating the email address and name of someone they know. With the prevalence of information available on social media, it’s increasingly easy to gather information for a realistic impersonation. The email to my CFO even included a signature with my actual contact details.

I recently heard of a money manager who received an email late on Friday, from someone he thought was a client, essentially saying “the funds didn’t arrive – they need to be in by end of day, so wire them to XX account.” He did it. Only problem is it wasn’t from his client, and those funds left the country.

The email to our CFO this week is just one example of a common trend in IT – the threats that are first used to target large organizations move downward, targeting small businesses. Spear phishing used to belong to the realm of large, complex organizations, but has recently become increasingly prevalent in small business.

If you know anything about Mainstay, you know that we take security very seriously. We have developed a Holistic Security Model, or data security architecture, for our clients and are constantly expanding, tweaking, and developing it. We educate our clients, train their staff, monitor their networks, and build as many defenses as we can.

Spear phishing is a threat that is intimidating. It is extremely difficult to combat with technology. We can’t filter by keyword, it isn’t a bulk email, it doesn’t contain malicious code, and there’s no way to lock down the use of a person’s name. It’s just one human trying to trick another.

The best defense is awareness and training – vulnerability management means consistently teaching threat awareness and response. It pays to be paranoid, and to develop constant staff awareness. The data security architecture you implement can help protect you from the threat posed by spear phishing.

Be aware of the risks, and have informed conversations internally and with your IT partner. And if you receive an email from me about wiring funds, it isn’t me!

If you have any questions, or require any assistance, we would be happy to speak with you. Contact us online.