In this Help Net Security podcast, Scott Olson, the VP of Product Marketing at iovation, talks about the impact of spear phishing, and offers practical suggestions on how to prevent this growing threat.
Here’s a transcript of the podcast for your convenience.
Hello everyone, I’m Scott Olson, the Vice President of Product Marketing at Iovation, and today I’m going to be discussing spear phishing. Specifically, I’m going to give some examples of how spear phishing has impacted organizations, as well as some suggestions to combat this growing threat and how it might impact your own organization.
This is a growing problem and if you’re curious what spear phishing is or if you haven’t heard about it, spear phishing is the fraudulent practice of sending emails or other messages. It could be a text message as an example, that appeared to be from a known or trusted sender, and is sent in order to induce the targeted individuals to reveal either confidential information about the organization, to provide details that would allow a compromise of the network, or to execute a financial transaction. Most of the large spear phishing breaches have targeted wire transfers and financial transactions, although there are some examples that I’ll be discussing that included data breaches.
Many people may have heard of phishing attacks and they don’t know the difference between spear phishing and regular phishing attacks. At its most basic level, the difference between phishing and spear phishing is that phishing attacks aren’t tailored to the individual receiving the email or the message. Spear phishing attacks on the other hand, they target specific individuals within an organization, they’re targeted because they can execute a transaction, provide data that’s targeted by the fraudster, and most typically they’re in the finance organization so that they can execute for example a wire transfer. And there have been many, many examples of high profile spear phishing attacks that had led to significant financial loss.
The financial impact
One of the most famous data breach attacks with spear phishing was with Anthem, a healthcare insurer. They settled a $115 million class action settlement. They had a data breach based on a spear phishing attack that allowed access to over 78 million healthcare records.
Ubiquiti Networks is another example. This one was with execution of international wire transfers. In this case, spear phishing induced the finance organization to transfer 46 million to scammers internationally through the wire transfers. They were able to recover about 8 million of that 46.
There was an Austrian firm, FACC, that lost 50 million Euros and also resulted in the CEO getting fired. There was a Belgian bank, Crelan, that lost $75 million. Even some of the largest tech organizations are not immune to this type of scheme. Facebook and Google lost $100 million as reported in the past couple years.
Reports point towards billions of losses in 2018. Of course, you don’t always have the exact examples because not everything is public, but billions of dollars of losses in spear phishing attacks against businesses, primarily targeting financial transactions and wire transfers.
How spear phishing attacks work
I’m going to discuss really quick about how they work. Spear phishing, unlike phishing attacks, which target a large audience and are often distributed by botnets, targets very specific individuals, as I mentioned, within a financial department most typically. The hacker, the fraudster, will craft fake emails, other documents. As an example, they’ll craft an invoice from their setup company that they want the wire transfer to go to, and it will include wire transfer details, target accounts for the transfer of money, and they’re typically targeting the finance department of organizations.
The emails themselves look like they come from someone in their chain of management. They can often come directly from the CEO, from the CFO, appeared to come from the CEO or CFO or other high level employees and VPs within that organization, with the authority to direct payment or wire transfers.
What is really trying to do is take advantage of typical operations to trick employees into a sense of urgency where they will execute a transfer on behalf of one of their bosses, typically a very high level boss with a large transfer of money. In addition to wire transfers, they can also be electronic payments.
Preventing spear phishing attacks
There’s a variety of recommendations on how to combat these types of attacks. Most solutions that you’ll see out there focus on email security and education. From an education perspective, there’s employee education certainly within your finance organization. They should be aware of these threat. There should be a process for vetting emails that they get, especially ones that have requirements around executing a financial transaction like a wire transfer.
For things that have a sense of urgency, there should be a process for verifying and vetting those request within the organization. There’s also strong email security solution, secure email gateways that combat forged emails, that look for phishing emails, spear phishing emails, can also provide value.
From a policy perspective, it can be complimented by technology. One of the things that we talk to companies about is employing a stronger authorization process using authentication techniques for business financial transactions, where you can work with your bank to provide authorization within their business apps, especially for wire transfers. And when you think about this, there got to be granularity around when you employ authorization techniques. As an example, there should be financial thresholds for explicit approval. This might be $1,000, it could be $5,000 or 10,000, but whatever is normal within your organization, where you need a stronger approval process where the threshold of risk is much higher.
There should also be out-of-band approval for financial transactions. When you’re executing a wire transfer that’s typically happens through banking app, maybe on the web, approval should come through a separate channel. For example, a mobile app is a good example of out-of-band approval.
One of the things that we recommend, and is unique to a solution provided by iovation, is multiparty approval. You can designate to individuals that have to approve transactions, let’s say over $10,000. And in those cases, you eliminate the concern around a single individual getting tricked. It would actually raise the threshold of the spear phishing attacks to target two individuals that would have approval process for wire transfer. You could have a manager that is in the approval process with individuals that also have the ability to execute transfers.
When you do that, it should be again in app for the out-of-band approval, and it should include details of the transaction itself. It should say who is it going to, what is the amount, so that these are communicated to both those individuals. It should utilize strong authorization technology and authentication technology, it should have strong MFA capabilities. When you execute transactions with that, you also gain non-repudiation so you know exactly who executed it, and they can’t say that it was an accident or somebody else, and you can add in this multiparty capability.
From an iovation perspective, that’s one of the things that we help companies with, especially work with banks, is to provide authentication and authorization solution called LaunchKey that builds those capabilities right into mobile business and banking apps. We think there’s great potential in leveraging stronger authorization process for combating threats like these within an organization. And if you’d like to find out more about our authentication and authorization solutions, you can visit www.iovation.com. Thank you very much.