How Executives Fall for Email Scams

Today’s fast-changing and rapidly deteriorating cyber-security environment increasingly points in one direction: human fallibility. Phishing and spear phishing attacks are on the rise. In fact, a January report from Wombat Security Technologies, State of the Phish, indicates that these attacks are up 13 percent and 22 percent, respectively, from 2014.

There’s a very simple reason: they’re highly effective. According to the report, emails that included a first name achieve click rates 19 percent higher than those with no personalization. These attacks frequently deliver a payload through PDF files, Adobe Flash, Microsoft Office and Silverlight, HTML and Java.

Worse, the techniques keep getting more sophisticated. So-called “impersonation” and “whaling” attacks that appear legitimate and trick CFOs, HR directors, sales teams and even CEOs into divulging sensitive data are on the rise. Part of the reason they are so successful is that there is no malware and no link to identify or analyze.

Security vendor Proofpoint notes that imposter emails have increased by more than 270 percent over the last year, with 50 percent now targeting the CFO and 25 percent directed to HR.

Among the growing list of targets: Mattel, MedStar Health, Seagate, Snapchat, Sprouts Farmers Markets and Weight Watchers International. According to Proofpoint, 20 percent of these imposter emails also request immediate wire transfers. It also reports that imposter email attacks have enabled hackers to steal upwards of $1.2 billion from 2013 through 2015.

It’s critical to understand just how fallible most companies are and how easy it is to succumb. In Mattel’s case, the company nearly lost $3 million, according to news reports. Various industry studies—and security consultants—report that as many as one-third of C-level executives fail fake social engineering attacks.

Too often, in the quest to conduct business at lightning speed and avoid cumbersome and inconvenient rules and restrictions, organizations eschew critical controls—and many also lack ongoing education and training. One CTO found that 58 percent of the organization clicked on a fake malicious link.

But what makes impersonation and whaling so challenging is that the underlying email address can be spoofed to look almost exactly like the real one. This requires new types of scanning and analysis that many companies lack.

Enterprise security needs to keep on getting smarter because, rest assured, the crooks keep on inventing new and better ways to trick people.