Email Attacks: Spear Phishing The C-Suite

  • Contributors:
  • Eric Larson
Image of business man sitting on desk and carefully reviewing a phishing attempt on his laptop

It seems that every week another large corporation reports major losses due to ransomware, fraudulent wire transfers, or theft of customer data.

Cyber criminals have honed their craft, and a clear pattern has emerged over the past several years: criminals know it’s easier to “hack” a human being than to break through a company’s technical security defenses.

Employees are the weakest links in any company’s security, and employee security awareness and education is the best way to mitigate that risk.


What does a typical attack look like?

Traditional email attacks (also called “phishing” attempts) are common, and fortunately, they’re usually easy to spot.

Generic emails —often with grammar or spelling errors— are delivered as mass mailings to recipients, encouraging them to click a malicious link.

Most spam/malware filters can easily identify these and screen them out, but some will get through. It’s important that end users can identify these emails and delete them without clicking any dangerous links and causing damage.

But criminals are more sophisticated now.

Targeted attacks (also called “spear phishing“) are on the rise, and they’re more difficult to identify.

Anti-malware software can be fooled because criminals take the time to register a legitimate domain name on the Internet, and they research their victims via company web pages, LinkedIn, and publicly available information so they can be as convincing as possible.

Personally identifiable information (PII) is often for sale on the Internet, and the author of a phishing email can now obtain a wealth of information on a target.

They may greet their target by name, often masquerading as a friend, a bank or business, or even as a manager or other authority figure.


Real-world examples of spear phishing:


February 2016: A health care system employee was tricked into emailing W-2 information for more than 5,000 employees to an unknown criminal posing as a high-ranking executive.

The criminal used a spoofed email address and enough detail that the employee was fooled into thinking it was a legitimate request.


June 2015: Employees at a large wireless networking company were tricked by spear phishing emails into transferring $46.7 million to overseas accounts held by third parties.

Criminals with a wealth of information on the company and its executives sent messages from spoofed email addresses, impersonating executives and crafting legitimate-looking requests to transfer funds.


April 2015: A large toy manufacturing company lost $3 million during a C-suite shakeup when a finance executive received an email that appeared to be from the newly-installed CEO requesting payment to a vendor in China.

The company had a corporate policy that required approval from two high-ranking managers for such a transfer, but the attacker made sure to request that the finance executive who qualified make the transfer, and the attacker also qualified as the “CEO.”


These are just three examples among thousands.

The FBI repeatedly issues warnings about these Business Email Compromise (B.E.C.) scams, reporting that they’ve received complaints from victims in every state in the U.S. and at least 79 other countries – from 17,642 victims as of last count.

Losses from these scams total more than $2.3 billion to date.


What can be done?


1. Implement anti-spam / anti-malware technology as the first line of defense.

A good spam/malware screening solution is still the best way to screen out the most obvious phishing attempts and should always be implemented.

If the software offers a link-rewriting feature, consider enabling it so that all links are checked a second time, in real time, when the user clicks – otherwise, links in emails are only checked once, when they first pass into the user’s inbox.


2. Educate all employees and make them aware of the problem.

High-level executives, partners, and those who work directly for them are prime targets for spear phishing attempts. Repeatedly remind employees in these positions that they’ll receive targeted attacks via email. Help them understand how to identify and report any attempts.

If possible, create or purchase formal training for all employees to help them better understand the scope and consequences of the problem. Even something as simple as making sure employees know to look closely at the email address in the “From” field can make a difference in detection.


3. Have preventive controls and procedures in place to mitigate risk.

Ask yourself: how can we make it impossible for a single employee to act based on a single email, even if a request appears legitimate?

You could require verbal confirmation for all emailed requests for information or fund transfers.

Create new procedures with spear phishing in mind that must be followed in order to avoid inadvertent actions by employees that could compromise PII or result in financial loss.


4. Stay up to date on the latest spear phishing tactics used by criminals.

Phishing techniques are always evolving, and they’ve been getting more and more sophisticated every year. Spear phishing is currently a low-risk, high-reward crime, and the problem will continue to get worse before it gets better.

Pay attention to news about businesses that have been compromised recently, and watch for advice from the FBI and reputable security companies.


Phishing attempts are a real problem, and the losses of data and cash are very real to thousands of businesses. Criminals can target anyone in a company, not just C-suite executives and other high-ranking personnel.

If a criminal thinks they can fool a CFO into sending confidential information, they will do so – but they might feel they can get that same information from a payroll clerk, and they will put the same amount of effort into obtaining it.

The most important thing is to make sure all employees and executives are aware of the problem.

By taking preventative measures, educating employees, and putting proper procedures in place, you can make sure that your company is a difficult target and that spear phishing attempts won’t bear fruit.


Have questions about cyber security? Let’s talk!