Hackers Snatching Executive Emails, Costing Companies Billions

By Kristin Casler, featuring Ondrej Krehel, LIFARS

It goes like this. It’s a regular Tuesday. Things are humming along just fine. Someone you know from your HR department sends an email asking you to look over an attached spreadsheet. Or your supervisor emails you to review an attached Microsoft^® Word document. Or a vendor you work with asks you to remit payment and, to make it convenient, provides you with a hyperlink. Nothing raises a red flag. So, you do as instructed. But the emails are fakes. The attachments and hyperlinks just opened up your system to fraud.

This is the new modus operandi of hackers, and the nefarious possibilities are endless. Welcome to corporate spear phishing. It claims new victims every day. In fact, organizations lose about $400 billion a year in intellectual property alone through spear phishing, according to Ondrej Krehel, CEO and founder of LIFARS.

You might think that you and your employees are too smart to fall for such ruses. Think again. Cyber experts themselves often have a hard time distinguishing between real and spear-phishing emails. Even White House employees fell victim, unleashing malware-infected emails that appeared to come from the U.S. State Department. And the mounting damages from spear phishing are evidence that even the smartest folks can be duped. The FBI reported in February that companies have transferred $2 billion to CEO impersonators over the last two years.

“I think the spear phishing buzzword is out there, but most still believe it’s a myth,” Krehel said. “They think, ‘It’s not going to happen to us. Our people aren’t that silly. The hackers are not sophisticated.’ Believe me, your people will click on it.”

Spear Phishing

Many people have received or at least heard of phishing emails. You know, the ones where the grammar isn’t quite right, asking you to provide some information, click on a link or help someone in need. They were very common for awhile. Then people caught on, and the phishing wasn’t as lucrative for hackers. One Cisco^® study showed a five-percent open rate and three-percent click rate for traditional phishing emails.

So, hackers got more creative. Now, instead of broad phishing emails sent to thousands of people, hackers are targeting individuals with compelling, accurate, personalized emails, often sent from email addresses hijacked from the recipient’s known colleagues or supervisors. It makes it very tough for the recipient and the organization’s security system to tell a real email from a fake. One Verizon^® study showed that the open rate for spear-phishing emails was 23 percent, with a click rate of 11 percent.

What’s the objective? It may seem like it will only damage the poor soul who clicked on a link or attachment in a bogus email. But these attacks open the door for further, devastating network infiltration on an epic scale.

The hackers’ objectives generally fall into one of four categories, Krehel said.

1. Corporate espionage—Seeking mergers and acquisitions data, stock trading and intellectual property (often conducted by foreign countries).

2. Cybercrime—Seeking credit-card data, financial data, bank-account information, fund transfers and other wire fraud.

3. Hacktivism—Breaking into a system and wreaking havoc to make a statement or for retaliation.

4. Snowden-types—Perpetrators who claim to be whistleblowers or highly organized government-sponsored units seeking to influence financial markets.

High-Tech Hacking for Everyone

It’s not just tech-savvy individuals who are succeeding. In addition to numerous powerful and effective groups that infiltrate, there is software available for the average individual to buy. Without much effort, they can make quick, easy money.

Krehel said he worked on a case for two years in which hackers created phishing software and sold it to anyone who wanted it. They even provided consulting services and gave them a list of individuals to attack.

The Tricks Hackers Use

Email is the essential ingredient for corporate spear phishing. Most people’s emails are publicly available and are regularly bought and sold.

“You can buy an email for 75 cents, and just as easily find out where someone lives, how much their house is worth, and their income,” Krehel said. “One-third of America has already been breached. It’s really too little, too late to protect anything in terms of your identity. The information is already out there. If I asked you to give me a list of the organizations that have your financial information, you could maybe give me 3,000. I can give you another 7,000.”

In addition to buying emails, hackers often rely on social networks. About 29 percent of breaches used social engineering, according to a Verizon report. There has been a proliferation of fake LinkedIn^® accounts created by hackers posing as job recruiters, for example, which are being used to gain access to executive emails. Krehel said that, as the CEO of a security firm, he regularly receives suspicious requests for connections.

Once hackers make a connection, they obtain the victim’s email address. They then impersonate that person, using their email address, to send a spear phishing email to one of the victim’s colleagues or subordinates. In one scenario, the impersonator, who appears to have some level of authority, may ask for something with a sense of urgency. “Please read the attached document. Then we’ll discuss it in a week or so.” Embedded in the attached document is malware, such as a remote access tool (RAT) that infiltrates the system.

Or, a hacker pretends to be a member of the board or the CFO, who requests the employee to transfer funds to an account number. If the recipient regularly gets similar requests, he won’t think twice before transferring the money.

Hackers profile the companies, the hierarchies and their employees. They are crafty and do their homework. They often target long-time employees, Krehel said, because they are more comfortable in their position and less likely to question such a request. A newer employee might try to confirm with the purported sender, and then the ruse is exposed.

Krehel said LIFARS thwarts thousands of attacks on its own emails. Hackers routinely scan their clients’ emails and use those to try to infiltrate LIFARS. “They know we are trying to help our clients be rid of them, so they are retaliating.”

Best Practices

So, how are you going to protect yourself and your organization? First, stop denying that you’re at risk.

As an individual:

• Always verify the origin of the email in question—especially when the request is unusual and involves money or sensitive information.
• Remain vigilant—do not open attachments from an unknown sender. Cybercriminals are known to spoof recipients with emails that look as though they came from within the company, and internal emails pose a risk as well. When in doubt, verify with the sender personally or over the phone.
• Do not click on links within an email if they look suspicious—hover the mouse over a URL to examine the link. If you are taken to a website that requires personal information to be entered (such as your bank), it’s best to close the window, open a new one and input the address manually.

As an organization:

• Implement an internal training and awareness program to educate employees (including executives and top-level management) about the threat of spear phishing and prevention methods.
• Implement a system that requires two authorizations for wiring money over a certain amount.
• Conduct continuous third-party penetration testing to verify the effectiveness and integrity of the security controls in place.
• Conduct internal spear phishing exercises to test the potential risk of compromise by an outside actor.
• Have the latest generation of threat protection. Your security system must be able to detect and block these intrusions on multiple levels.