Spear phishing presents growing risk for organizations

By Erin Ayers on August 27, 2015

Can-you-resist-that-email-link-200x2001Spear phishing attacks represent a much more sophisticated and targeted attack than organizations may realize, according to a panel of experts speaking during a recent Advisen webinar.

“People think it’s spam. That’s just not true. Spam is a totally different ball game,” said Chris DeMunbrun, special agent with the US Secret Service. Spam emails might be annoying attempts to encourage recipients to click on certain links and buy products. Phishing can be considered a more sophisticated version of spam. Spear phishing, however, takes things a step further and targets attacks on specific people, usually with the intent of scamming money, gathering information, or slipping malware into a network.

“They do due diligence within an organization and send tailored emails,” said DeMunBrun. “Phishing is a very patient game, because it takes a lot of reconnaissance.”

Bill Downes, chief information security officer for The Hartford, commented during the webinar that the prevalence and potential losses from spear phishing should prompt businesses to take a close look at their practices, policies, and employee training. One of the largest cyber attacks of 2015 thus far occurred at health insurer Anthem because of an extensively planned spear phishing effort.

Downes explained that the hackers evaluated Anthem’s corporate structure, determining which employees had high-level authority on systems. They then sent specific spear phishing emails to about 15 to 20 individuals, managed to convince some to click on links that allowed malware to infect Anthem’s system.

“And that was how Anthem was broken into,” said Downes. “Spear phishing could be for immediate cash, or phase one of a greater attack.”

In the event of scams seeking cash, the panelists advised listeners to implement checks and balances to prevent wire transfers being approved too quickly. Liz Olsson, senior vice president with Wells Fargo, recounted the story of a publicly traded company that had been considering an overseas corporate acquisition for some time.

A hacker broke into the system and for an extended period of time watched emails detailing the negotiations of the potential purchase. Eventually, the hacker sent an email posing as the CEO of the company to the CFO, requesting a wire transfer of $6 million. The email was so skillfully worded, so reminiscent of the CEO’s actual writing style, that the CFO didn’t realize the subterfuge.

“It speaks to the sophistication of these hackers,” she said. “That money was gone in just a matter of minutes.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].