50% of organizations were victims of spear phishing attacks in 2022, with the average business receiving five highly personalized emails per day. More alarming though, is that the cost of a data breach rose from $4.24 mil in 2021 to $4.35 mil in 2022. Read on to find out about examples of spear phishing attacks and how to detect and block them.
As the threat of fraud grows, companies must ensure they spot the signs quickly to prevent this type of attack. Trustpair blocks the financial effects of spear phishing by continuously controlling payments and blocking suspicious payments from unknown parties. Contact an expert to learn more!
What is spear phishing and how does it work?
A definition
Spear phishing describes a highly-targeted attack by fraudsters in an attempt to extort money or sensitive information from a company. It falls under the broader category of phishing, which can be defined as a more generalized ruse of impersonation in order to dupe employees into following commands. Usually, the scammer uses social engineering tactics and email channels to commit this type of online fraud.
But spear phishing takes this one step further. These criminals have thoroughly researched your company, the leadership team and have awareness about the real suppliers you work with. They’ll put spyware into your system in order to capture private information about how you operate and even mimic exactly how certain members of staff talk, in order to make their attack more realistic.
Spear phishing attackers are highly organized, and are more likely to time their fraud attempt when your team is under pressure, or when you’d normally expect to connect with a third party. For example, they could wait until the last day of the month to send a false invoice request, as they know that your real supplier usually invoices on this day. For this reason, antivirus software just isn’t enough to protect your business from this type of cyber attack. To avoid getting phished, companies need to implement security awareness training and other safeguard measures.
Example of a spear phishing email
The following is an example of a phishing email:
Subject Line: Change of Bank Details
Body:
Dear [name of your employee],
Please find attached a copy of the most recent invoice, dated [last day of the month]. Please note that we recently switched banking providers from [name of their real bank] to [name of new bank] and have included the new account details on this invoice.
We appreciate your swift payment and have recently implemented an early payment discount for all of our partners. If paid within 24 hours of receiving the invoice, we will automatically deduct 10% from the bill.
Many thanks,
[name of real contact at Supplier].
This is a typical example of an attacker using social engineering techniques. This fraudster has done their research. They know the name of your employee, the real bank attached to the merchant, and the name of your regular contact at the supplying company. They waited until the last day of the month to intentionally time this invoice delivery with the rest of them, hoping this email blends in with the commotion of month-end.
What’s more, the criminal uses incentives to lure the payee into making the payment quickly, without the time to think about verifying the bank details. This is a common tactic used to place high pressure on the victims and steal.
Without the steps in place to detect and prevent fraud, employees are likely to follow through with this type of malicious request, and both the business’s finances and reputation can suffer.
4 examples of spear phishing?
With 90% of data breaches caused by spear phishing; this is a clear threat. So what should you look out for when operating day-to-day in your job to avoid phishing and protect yourself?
Here are four key examples of spear phishing, with real-life situations and consequences. It’s important to learn how criminals target companies like yours, and spot the signs in your own workplace:
- CEO fraud
- Invoice fraud
- Bank transfer fraud
- Employee fraud (aka internal fraud)
CEO fraud
CEO fraud refers to the impersonation of a CEO or another senior executive in a fake email targeted towards the employees with the power to make a transfer. It can play on the idea of authority and hierarchy – the idea that employees are desperate to impress.
CEO fraud usually targets mid-management or senior members of staff, as they are more likely to have the authority to approve payments or share personal information. Both of these factors contribute to the threat, making CEO’s 9 times more likely to be targeted than any other member of the organization.
A real life example: the Xoom fraud
Unfortunately, this type of spear phishing campaign happens quite often. A spear-phishing attack via CEO fraud happened at Xoom in 2014. The company admitted that its financial reports in the first quarter of 2015 would highlight a one-off charge as a consequence, resulting in losses of over $30 million.
It happened because fraudsters impersonated an undisclosed senior employee requesting a transfer, and the accounts department made this transfer. The CFO (who was newly appointed to the position) immediately resigned.
Invoice fraud
Invoice fraud is another phishing scam, and is the result of criminals impersonating a known supplier to change banking information and credentials.
Typically, the fraudsters hack into your system and intercept a real invoice, but change the bank details. Or, they could spoof the merchant’s email address and begin a whole new thread. But in the case of Levitas Capital, the attackers relied on weak cybersecurity defenses.
A real life example: the Facebook and Google fraud
Even the giants can be targeted by spear phishing attempts, and without the right controls in place, they can fall victim to cyber-criminals.
Facebook and Google had a mutual supplier, Quantas Computer Inc, based in Thailand. Between 2013 and 2015, a Lithuanian scam artist spoofed the email of this supplier and sent false invoices to both companies. This led to losses of $23 million for Google, and over $100 million for Facebook.
Although he was later convicted, the money was never returned to either of the tech giants.
Bank transfer fraud
Bank transfer fraud happens when criminals hack into a company’s system and send themselves funds. Wire transfer fraud grows by 13% every year, and spear phishing techniques only make that number likely to further grow.
In some cases, the fraudsters’ target is sensitive company information that will allow them to gain access to your bank account and make a transfer, undetected. So it’s important to consider how your company protects its data to prevent it from being compromised, and keeps the finances safe.
A real life example: the Levitas Capital fraud
In 2020, just as it seemed like organizations were getting used to remote working, Australian hedge fund Levitas Capital was dealt an unrecoverable blow.
Co-founder, Mr Fagan, is alleged to have clicked on a fake Zoom invite, which then downloaded malware onto their systems, undetected. The hackers then sent dozens of fraudulent payments, to the tune of $8.1 million AUD.
But Levitas Capital was regulated by an administrator that had to approve all payments and was responsible for protecting investors: so how did the criminals get away with it?
By relying on weak cybersecurity controls.
The administrator actually called the co-founder to check payment before it was released, but he was at the gym and asked them for a call back before any transactions were approved. After the success of the initial spyware download, the criminals then sent a spoof email to the administrators from inside the Levitas system, impersonating Mr Fagan and approving the transaction.
It’s not until later that morning that the co-founder himself spotted a $1.2 million AUD transaction to an unrecognized third party that the alarms were raised – but by then, it was too late. The firm closed its doors just two months after the spear phishing attack.
Employee fraud (internal fraud)
Employee fraud, also known as internal fraud, occurs from trusted members inside the company. But not every company will be susceptible to internal fraud; instead, it takes the right set of conditions.
The fraud triangle explains these conditions through the lens of motivational factors. The three points of the fraud triangle that propel somebody to commit fraud are:
- Opportunity: the organization has a lack of controls, poor policies, or no oversight of the processes that could be exploited by fraudsters
- Pressure: the individual might have personal debts, feel vilified by their boss or the company culture, or fear that they won’t meet company targets to make their desired income amount
- Rationalization: the individual believes they will get away with the crime, or that they’re not a bad person – they have simply been driven to this “one-time” desperate situation
Instead of focusing the defenses on external threats, companies must remember that internal processes can help prevent this type of fraud.
A real life example: the Frank fraud
Very recently in January 2023, it came to light that a startup founder had created a roster of over 4.2million fake customers.
Charlie Javice, the founder of Frank, pitched her business for investment from J.P Morgan. At the time, she had around 300,000 customers, but she told the investors it was actually around 1.2 million.
By using spear phishing techniques, the founder learned about J.P. Morgan’s due diligence processes and successfully sold the lie. To do this, she developed a fake customer base (with non-existant customers) and combined real and made-up data to make this look believable. It included information like:
- Names
- Addresses
- Dates of birth and more
Even more scary, this database was validated by a third-party vendor in order to make it look more realistic.
Unfortunately, J.P. Morgan approved the investment, and it wasn’t until the group got extremely low results from an email marketing test that they validated the customer information, and realized it was false.
Learn all there is to know about B2B payment fraud in our latest report!
How can you protect your business against it?
Even if they’re not successful at extorting funds, fraudsters can exploit much of the information they gain in an attack. For example, scammers might use the information they gain in a phishing attack to sell on the dark web. Or, they could scam your partners into paying false invoices, leading to severely damaged professional relationships.
But the consequences of spear phishing are preventable.
Detection factors include doing proper due diligence, such as verifying any request that comes through email channels before taking action. Moreover, cybertraining and fraud awareness training for staff members can increase suspicion if any phishing attempts occur. Frequent training will help team members detect the patterns of phishing scams and social engineering attacks.
Additionally, phishing prevention tactics include creating strong internal controls and policies as well as cyber-security measures. For example, a double approval system would ensure that any payment request must be approved by two separate senior team members, in line with the four eyes principle. This should make it harder for phishing payment requests to be approved when red flags exist.
The one bulletproof approach when cybercriminals try to steal, however, is automated anti-fraud software, like Trustpair. We work in real-time to validate the match between supplier information and banking details, making sure you’re actually paying the right person.. Before any transaction is executed, we double-check this match to block any suspicious payment.
Trustpair has so far secured over $ 100 million of payments with zero successful cases of fraud.
Summary:
Spear phishing relies on highly-researched and personalized tactics to pressure employees into revealing company secrets or transferring funds. Four channels include CEO, invoice, bank transfer, and employee fraud. Detect and prevent spear phishing with automatic account validation software like Trustpair.