TOM JEWKES

An entry level accountant, “Sebastian”, receives an email from his CEO. Sebastian is excited the CEO recognizes him and needs his help on a major acquisition. The CEO requests a wire of 50 million Euros immediately sent to a bank account for the acquisition. Sebastian quickly executes the transfer. He feels like a hero. He can almost smell that promotion.

Unfortunately for Sebastian, and his large Austrian aerospace company, FACC, the email was not from his CEO. This was one of the most profitable phishing expeditions ever. The company could only recover 20% of the funds. The CEO was fired and most likely, Sebastian.

Phishing is a type of cyber-attack that uses email to trick the recipient into doing some particular action or providing private information. The term was coined in 1995 as a variant of fishing and refers to the “bait” used to get the victim to “bite.” There are several variations of phishing. Whaling refers to targeting high-level personnel in an organization. Spear phishing refers to a phishing attack targeting a specific group of people like the military, a specific company, or certain professionals.

With the techniques used today, it is not always simple to identify a phishing attack. Although the Nigerian Prince scam, with its poor grammar and misspelled words, is still around, there are new scams that look extremely legitimate and appear to be from legitimate organizations.

Here are some methods to skillfully spot the phishing email. If an email is asking for personal information or asking you to verify details like bank or credit card information, don’t take the bait. Established companies never ask for sensitive information. Be cautious of emails presenting dire warnings and potential consequences which require urgent action. Some examples might be a warning that an account of yours has expired or has been hacked. Similarly, be wary if there is an urgent deadline to go along with the dire consequences. Another common phishing tactic is to offer large financial rewards. This could be winning a lottery that you did not enter or being the prize-money winner for a bogus contest. If it sounds too good to be true, it probably is.

Now that you are starting to smell something phishy, how do you determine what to do? First, don’t click on the provided link, if there is one. Hover over the link and look at the bottom left corner of your browser or email client. It should show the full web address. Some bogus web addresses will have extra words or letters added which do not belong to the legitimate address. Carefully scrutinize the address. (For example, g00gle is not the same as google.) Also, beware of short URLs (hyperlinked website addresses). Hackers can hide their true address inside a tiny URL link.

When you get an email that seems like it really came from your bank, for example, mentioning dire consequence and an urgent deadline, call the bank using a number YOU KNOW is good, or check the official website. (Google the website; don’t click the link in the email to determine if the email is legitimate.) Many spear phishing attacks can be thwarted with policies requiring a second method of approval prior to email requests for funding (which Sebastian should have looked for).

To protect your business, you should look at increasing your cyber defenses. This may be something like using email services that stop most phishing attempts. Businesses can use email certificates to digitally sign emails so recipients can verify they came from you.

Training and awareness are the key.

There are services you can leverage that provide phishing training. It’s even better if the training also includes simulated phishing attempts targeting your employees to determine how well the training is sinking in.

Perhaps if “Sebastian” from FACC had the proper training, he might still be enjoying his employment there – along with his CEO.

Thomas Jewkes is an Assistant Professor of Practice in the Cyber Operations program at the University of Arizona College of Applied Science and Technology (CAST) in Sierra Vista, and founder of cybereyeaw.com.