First, the attacker seeks out a single worthwile victim, then by researching commonly accessible information (organigram, social networkts, press releases) determines a colleague or supervisor whose name will then be used as the fake sender. The e-mail itself is set up in a personalized way and will try to convey urgency and confidentiality in order to avoid detection as fraud and ask the recipient to only contact the sender via e-mail.
How to identify spear phishing attempts
So if you receive an e-mail supposedly sent by supervisors or colleagues
- asks you to do things that were not communicated by other means of communication and - if not legitimate - might have a massive financial impact (e.g. transfer x Euro to account y)
- asks you to treat this matter confidentially and handle it urgently
- ask you to only communicate via e-mail with that supervisor or colleague
- or asks you for an "unbureaucratic" shortcut to handle the matter, maybe even by threatening personell consequences
then don't fulfill such requests.
Instead reach out to the supposed sender in person or by phone to make sure that the mail was not an attempt to defraud you or the company.
If you are a victim of such an attack or have any questions on this topic, don't hesitate to contact it security.
Example of a spear phishing mail
From: <managing director>
To: <employee financial accounting>
Dear Mr. <Employee Financial Accounting>!
I have a financial issue that is extremely important and requires the utmost discretion.
Can I count on you to take care of it?
Any personal or telephone exchange is prohibited (we only communicate by email)
In social engineering, the perpetrator exploits the "human factor" as the supposedly weakest link in the security chain in order to realize his criminal intent.
CEO Fraud or President Scam
The CEO Fraud is a scam in which companies are manipulated to transfer money using false identities.
Most of the time it is a fake email that appears to have been sent by a member of the company's management. These emails contain allegedly justified instructions to transfer large sums of money to a foreign bank account. It can also happen that even one person calls and confirms the whole thing by telephone. The fraudsters get their hands on the information through targeted searches on the Internet or social engineering.
Often the executing employees are put under time pressure and the secrecy of the transfer is pointed out.