Spear-phishing – targeted, fraudulent emails intended to appear genuine and from trustworthy sources – is the proximate cause of most Social Engineering Fraud losses. Everyone will be a target at some point in their life; likely on more than one occasion. These attacks have become so sophisticated that only the most aware stand a chance of spotting them before it’s too late. Here are 5 tips to help you catch Spear-Phishing in your inbox:
DON’T OPEN SUSPICIOUS ATTACHMENTS OR CLICK ON LINKS IN THE EMAIL
Just about any type of attachment, including .doc, .ppt, or .xls files, can contain harmful viruses or malware. Clicking on a malicious link or opening a fraudulent file can infect your computer. To investigate hyperlinks without clicking, hover your mouse over any link and carefully check the address. If you don’t recognize it, don’t click on it. For attachments, only once you have verified the sender of the document should you consider opening it. If in doubt, speak to your IT department first. This is a situation where curiosity can be dangerous.
BE EXTRA CAUTIOUS WHEN YOU DON’T KNOW THE SENDER
If you receive an email and you don’t know who the sender is, automatically be on higher alert. It seems obvious, but with business related emails you never know who might be trying to get in touch with you, and in the interest of good service we often jump right in to see who it might be. However, even if you recognize the name or know the person, don’t let your guard down. Some of the most devastating losses are caused by someone impersonating a trusted associate, client, vendor or executive.
CHECK THE EMAIL ADDRESS OF THE SENDER CAREFULLY, EVEN INTERNAL EMAILS
Many spear-phishing attacks use email addresses carefully designed to look just like a legitimate email. Also, many email software providers only show the registered name of the sender, not the full email address. Hover over the email address or click ‘reply’ (without sending!) to verify that the address used is legitimate. That’s the first step. Sadly, even if the email address is legitimate, it doesn’t’ necessarily mean it is safe. The actual email address may have been compromised (aka hacked).
WATCH FOR URGENT EMOTIONAL BASED ACTION REQUESTS
All spear-phishing emails will likely have a “call to action” (a message within the document that will prompt you to do something, such as click a link, transfer money, alter information, share sensitive information, or confirm certain details). It will likely be time sensitive, and it will typically involve either a positive motivator (you’re the only one we can count on to get this done) or a negative motivator (there are huge consequences for us as a company if we don’t make this happen) designed to play off of various emotions like excitement, pride, or fear. When these elements are present, be extra vigilant.
USE “OUT-OF-BAND” VERFICIATION FOR ATYPICAL OR EVEN ROUTINE REQUESTS
Many of the claims we see that started as a spear-phishing email could have been prevented with what is called ‘out of band’ confirmation – using a different method of validating a request (ie. phone or in person).People tend to shy away from picking up the phone or speaking to people in person to verify a request. We don’t want to bother them or risk being seen as overly cautious or hesitant when making decisions. Don’t assume only large requests might be fraudulent – small fraud losses can be painful and fraudsters know they have a better chance of success with smaller requests. Additionally, many losses are caused by modification of rather basic or routine pieces of information, like a request to change key contact information at a vendor or updating banking information. When in doubt, pick up the phone.
Whether the fraudster’s objective is to gain unauthorized access to your computer system or induce a fraudulent transfer of funds, a heightened awareness of spear-phishing by all of your employees is essential to protecting your organization.
Consult your broker about an insurance solution that’s right for you or for more information, please visit our website and connect with us.
Joshua Laycock is The Guarantee’s National Fidelity Product Manager responsible for the maintenance and development of underwriting standards, product innovation and supporting strategies for one of Canada’s largest Fidelity insurance portfolios. He started his career over 10 years ago working with a multi-national insurance brokerage in Toronto as a broker and client executive in the Financial Institution and Professional Services industry practice before moving to the company side five years ago. He has a B.Comm from the University of Toronto and holds the Chartered Insurance Professional (CIP) and Registered Professional Liability Underwriter (RPLU) designations.
Please be reminded that the following blog/article is intended to be used for informational purposes only and nothing contained herein shall be deemed to provide legal, technical or other professional advice or to represent actual or potential coverage under any insurance contract. At all times, the specific issued policy in its entirety including all definitions, conditions and exclusions is to be used when determining the scope of potential coverage under The Guarantee insurance products. The Guarantee Company of North America disclaims all warranties whatsoever.