Story image

SMX warns Kiwi companies of 'highly sophisticated' email scam

07 Sep 15

 Cloud email security firm SMX is warning its customers and partners about a security issue following increasing incidents of highly-sophisticated targeted email fraud (aka ‘spear phishing’) and ‘whaling’ attacks.

Spear phishing describes a process of email fraud where individuals are targeted within an organisation and attacked with a combination of social engineering and email spoofing techniques to elicit funds. 

Whaling is where the same techniques are targeted at key senior executives, such as chief financial officers.

Thom Hooker, SMX’s co-founder and chief technology officer, says SMX has seen live attacks unfold in real-time where, once they have a 'whale' hooked, attackers purchase brand new domains similar to their intended victims in order to trick companies into transferring cash overseas. 

He says attackers are even following up with telephone calls prior to, as well as during, these attacks to further embellish the hoax.

In a blog on the SMX website Hooker describes a real life example of a whaling attack on a large SMX customer. The CFO of this company received an email purporting to be from his CEO instructing the transfer USD$192,000 to an international bank account. The email appeared completely legitimate, with the sender's email address displayed in the CFO’s mail client looking 100% correct. The incoming email contained no malware or links to malicious sites that would trigger the multiple security filters in place.

After the CFO responded, or was 'on the hook', the phishing gang registered a new .com domain name similar to the company's real domain and continued the email conversation from this new domain. 

That is, the phishing gang waited until they had a whale on the line before they spent any money on embellishing their scam.

Hooker says this demonstrates that these individuals aren't just playing a numbers game and casting their net wide; they are identifying and targeting companies and senior individuals within those companies and then refining their proposition based on responses from their targets.

“If the CFO involved in this scam hadn't had the presence of mind to query the reason for the request, which ultimately led to this scam unravelling, this company would have lost a significant amount of money,” says Hooker.

“This story isn't uncommon internationally but is relatively rare in New Zealand. It highlights the importance of security awareness training for potential whaling and spear phishing targets.”

In the security alert sent to customers and partners, SMX recommends three key steps all companies and organisations should take:

  • Identify potential whaling or spear phishing targets within the organisation – these roles should include finance, management and IT security.
  • Conduct security awareness training for all identified roles – this training should include an awareness of these types of attacks and familiarisation with the organisation’s security policies.
  • Create and publish robust internal procedures for handling and identifying security incidents, responding to external queries requesting information on senior company executives, and so on.

Depending on the industry, SMX advises that companies and organisations may need to conduct training across a wider range of roles within the organisation.

Hooker warns that the sophistication and persistence of these attacks outside of the email flow means companies should not rely solely on computer security and algorithms to protect them. 

“Potential whaling targets need to be aware that criminals are undertaking sophisticated attacks right now and to protect themselves appropriately,” he says.

IP theft: A global issue catching NZ businesses off guard
“We have this incredible record of innovation in New Zealand. But our innovative businesses haven’t always been meticulous in shoring up their IP."
Why A/NZ organisations need to improve compliance protocols
Only a mere 4% of IT decision makers and data managers surveyed said their organisation faced no data management challenges. 
What the people say - Gartner’s November Customers’ Choices
A roundup of the latest Gartner Peer Insight Customers’ Choices from Backup and Recovery to Business Intelligence and Analytics, and more.
BlackBerry buys out cybersecurity AI firm Cylance
“We are eager to leverage BlackBerry’s mobility and security strengths to adapt our advanced AI technology to deliver a single platform.”
Data protection is key to building customer trust
"New data compliance rules offer an opportunity for businesses to re-evaluate their processes and improve data management and customer loyalty."
NZ Internet Task Force joins iSANZ Hall of Fame
NZITF chair Barry Brailey and former chairs Mike Seddon and Paul McKitrick received the award in Auckland last week.
Quantum computing: The double-edged sword for cybersecurity
Quantum computing is quickly moving from science fiction to reality.
Three ways to achieve data security whilst enabling BYOD
"A mobility strategy is now more important than ever before, that said, selecting the right one is often no small task."