C-Level Fraud and Spear-Phishing Across International Boundaries
 

Cave drawing found in southern France showing early spear-fishing have been dated back 16,000 years, and whaling has been practiced as an organized industry as early as 875 AD. While spear-fishing started out as an effective way to provide sustenance for early man and whaling started out as a means to provide fuel (whale oil) and raw materials to fund other endeavors. So, isn’t it amazing that modern cybercriminals utilize techniques that actually date back thousands of years before computing was even a thought?

Spear-Phishing Demystified

Early phishing campaigns relied on blanketing large audience with a simple email making what looked like a valid request but in fact masked the insertion of malware. It was a numbers game and the criminals came out on top for the time it took security vendors to find preventative measures. It is natural for any predator to adapt and that is how spear-phishing manifested to create more specific targets with highly focused content. According to SearchSecurity a spear-phishing attack is:

"...an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.”

The statistics for 2018 targeted phishing attacks are staggering. According to a CSO magazine article titled “11 top cybersecurity statistics at-a-glance”

• 92% of malware is delivered by email.
• 56% of IT decision makers say targeted phishing attacks are their top security threat.
• 77% of compromised attacks in 2017 were fileless.
• The average ransomware attack costs a company $5 million.

This level of success has also bred an even more targeted class of cyber attack.

C-Level Fraud Demystified

Cyber criminals recognizing that targeted approaches to phishing yield measurable results then set their site of even bigger targets. On one hand these high-profile targets are highly visible and access to personal and professional information is usually just a mouse click away. Think about it; how much information do you think you can find on the CEO of a fortune 500 company versus the average mid-level manager of a small to medium business? These high-profile phishing attacks are known as whaling (or C-level fraud).

According to SearchSecurity a Whaling Attack is:

“...a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access to sensitive data. In many whaling phishing attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.”

Because of the potential high value returns of C-level fraud attacks, cyber criminals spend extraordinary amounts of time profiling their targets in order to highly customize the attack and make the series of phishing emails appear as legitimate as possible. A recent example was reported by KrebsOnSecurity in a post titled “Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions”:

“A highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at credit unions, and many credit union sources say they suspect the non-public data may have been somehow obtained from the National Credit Union Administration (NCUA), an independent federal agency that insures deposits at federally insured credit unions.”

It is the subtleties that separate successful spear-phishing and C-level fraud attacks from the average phishing attack. With that in mind, it is best to prevent these types of attacks before they even reach their intended targets.

Preventing C-Level Fraud and Spear-Phishing

The most effective C-level fraud and spear-phishing prevention strategy will include an ecosystem that accounts for the malware infiltration, email protection and human education components in order to be most effective. Understanding that any executable code inside of content is malicious will ensure your malware infiltration solution is a best first line of defense.

Combine that with targeted email threat protection and security awareness training for your employees and you will have everything you need to protect against these advanced phishing kits in the hands of cyber criminals intent on extorting your organization.