Home » Topics » Cybersecurity » How OPSWAT’s CFO fought off a sophisticated phishing attack

How OPSWAT’s CFO fought off a sophisticated phishing attack

Avatar photoby Ben Rossi

Whether we like it or not, spear phishing attacks are on the rise and are becoming more sophisticated. Thanks to social engineering, hackers have been able to successfully manipulate people into handing over confidential information and opening malicious email attachments, supported by the wealth of personal data that is now available via the internet.

It’s easy to find out what kind of power an individual employee holds by looking at their job title and their duties, which you can easily find on social media sites, their blog, or on a company’s website. Though anyone can be the victim of a targeted attack, those who work in accounting or finance positions are becoming increasingly common targets.

> See also: How to hack a ban – phishing is no longer about small fry

Verizon’s 2015 Data Breach Report shows that phishing campaigns are still surprisingly effective. Verizon reports that 23% of included recipients were found to have opened phishing messages and no less than 11% clicked on corresponding attachments. In addition, if a hacker sends out 10 emails, there is an astonishing 90% chance that at least one person will fall victim to their attack. The Verizon report also demonstrates that phishing attacks produce extremely fast results.

Two of Verizon’s security awareness partners sent out 150,000 phishing emails to see how many people would open the emails and what percentage would click on the links inside them.

The data showed that 50% of recipients opened the email and clicked on phishing links within the first hour, with the first clicks coming in after only one minute. This reports proves just how easy it is for hackers to gain access to sensitive information via simple phishing attacks, especially because it can be hard to monitor the email activities of a large workforce.

As the CFO of OPSWAT, I often receive wire transfer requests from various executives, including our CEO, that require my approval. Of course, just because I approve this type of request frequently, doesn’t mean I ever get to let my guard down.

Back in January, I received what I thought was a routine email. It appeared to be from OPSWAT’s CEO, Benny Czarny, requesting that I wire him money and asking when I would be able to complete the request. At first, I wasn’t suspicious of the email as it matched the writing style of our CEO almost exactly. The only thing that seemed off to me was the signature. Benny doesn’t usually sign his last name in his emails to me, but this detail was so minor that I didn’t pay much attention to it.

Since I was not yet suspicious that this might not be a legitimate email, I replied as I usually would, requesting Benny to send me the proper info to complete the wire transfer request.

The attacker promptly replied with a transfer amount and asked how much time I would need to complete their request once I received the details. At this point, I was starting to doubt the authenticity of this email. I clicked to reveal the details of the sender’s email address and found that the email didn’t match Benny’s; the email was actually from c_e_o_private1@outlook.com.

In order to confirm my suspicions, I decided to pay a visit to Benny’s office to get confirmation that he had not initiated the wire transfer request. Benny quickly confirmed that the request was not from him and I knew that we were dealing with a sophisticated spear phishing attack. Instead of deleting and ignoring the email, I decided to communicate with the sender to see if I could glean any further details by asking them to get me the complete payee info by 1pm that day.

The sender replied with details for a specific bank account. I replied by asking for a note of reference for the wire transfer and for which department this transfer was for.

The sender tried to avoid naming a specific department, as they were obviously not familiar with the specific titles of our departments, and tried to get me to reference the transaction directly to Benny.

I replied asking them to specify which department they would like me to charge the transfer to, and then gave them two department numbers to choose from. Little did they know, the department numbers I had sent them were completely fake.

My reasoning behind asking the sender for a specific department to charge the wire to, was to assess how much detail they knew about our accounting department and bank wire system. Any additional data I could gather at this point would hopefully give investigators the information they needed to find and stop the hackers.

When the sender replied that the wire transfer was to be charged to one of the fake departments I had listed, I knew I had proof that this was a scam. I then decided to cease all communication and reported the attack to AppRiver, a SaaS provider we use for email security, to notify them of the attack and to make sure the proper steps were taken in safeguarding our company and employees from future threats. In addition to contacting AppRiver, I filed a report referencing the attack to the Internet Crime Complaint Center (IC3), which is a division of the FBI.

> See also: How to avoid a CryptoWall nightmare – an unfortunate not-for-profit experience

I found the whole experience to be very eye-opening, so I wanted to share a few recommendations that I think will help other companies identify this type of attack.

Practice good internal communication

There is never a good replacement for in-person and open communication. If I hadn’t gone to our CEO’s office and asked him directly about the wire transfer, I would have spent even more time communicating with the attacker, and could have possibly revealed sensitive company information.

If you are trying to contact someone who is out of the office or works remotely, I would recommend utilising a variety of communication tools/modes to verify the identity and veracity of an email communication, such as messenger tools, phone calls, video conferencing, etc.

Learn personal writing styles

Once you have been in communication with someone over email for a substantial period of time, you will start to recognise their writing style. When you receive an email requesting money or other sensitive information, look for things that seem uncharacteristic of the sender.

Are they suddenly not using their email signature, signing with their last name when they usually don’t, or are they using punctuation differently? Looking for changes in style can help you to identify spear phishing attacks sooner. After all, you probably know the sender better than the hacker does in this situation, which gives you the upper hand—as long as you are paying attention!

Have proper accounting controls in place

I can’t stress enough the importance of internal accounting controls. If you are connected to the company’s finances, chances are that you are going to be higher on a cyber-attacker’s target list. Segregation of duties is key; never give the power to fully approve a financial transaction to just one individual.

For example, even if I had fallen for this this scam and had approved the wire transfer request, it would have still required additional verification by someone in our accounting department. Controls like this may help save the day in case of a human error.

Ensure cybersecurity training for employees

Accounting controls are extremely important, but the reality is, any department can be hit with a phishing attack. That’s why it’s important to invest time in creating an effective cybersecurity policy for your employees to reference. Teaching employees about things like password management, how to deal with lost or stolen devices, or how to correctly apply patches and updates are all critical to your company’s protection.

Invest in email security software

Investing in email security software can help you mitigate the risks associated with human error by acting as a checkpoint for all email flowing in or out of an organisation. Email security software can check for spam, phishing, malware and other prohibited content.

Organisations can also utilise the power of multi-scanning (scanning for threats with multiple antivirus engines) alongside email security software to scan email attachments for malware, and perform document sanitization and file type verification.

Document sanitisation cleanses infected files from possible embedded threats so that they are free of malware, where file type verifications acts as a guard against spoofed files, such as .exe files disguised as PDFs.

With the above tips at your disposal, you should be able to greatly decrease the likelihood of being tricked by spear phishing attacks. If a threat happens to get through despite taking the appropriate security measures, make sure to trust your instincts when deciding if an email is trustworthy or not. Chances are, if something doesn’t feel right then there is a high likelihood that the email is fraudulent! 

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach
Email & Communications
Phishing

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise