How to Protect Your Organization from Spear Phishing Scams
The recent revelation that the treasurer of the City of Ottawa unwittingly paid nearly US$100,000 to a phony supplier highlights the danger of spear phishing scams.
The Office of the Auditor General of the City of Ottawarecently released its findings on how the City fell victim to a common fraud scheme in which US$97,797 was transferred to an account of a phony supplier. The Office of the Auditor General found that on July 6, 2018 at 10:29 am, the City Treasurer received an email from the City Manager. This email, which turned out to be a spoofed email, purporting to be coming from the City Manager when, in fact, it came from fraudsters or fraudster, requested that a wire transfer in the amount of US$97,797.20 be processed for the completion of an acquisition. On the same day, between 10:29 am to 2:34 pm, the City Treasurer and the fraudster emailed back and forth to finalize the wire transfer. By 2:34 pm on July 6, 2018, just 4 hours after the initial email, the fraudster acknowledged receiving the money.
Few days after, on July 11, 2018, the fraudster, again using the spoofed email of the City Manager, emailed the City Treasurer to release an additional US$154,238 as balance payment. Unlike the July 6, 2018 money transfer, in which the City Treasurer only emailed the City Manager (this time not using the spoofed email address confirming that the money transfer was completed), in the July 11, 2018 wire transfer request, the City Treasurer discussed the matter in person with the City Manager, who said he had no knowledge about the request or previous request. As a result, the two incidents were submitted for investigation.
According to the Office of the Auditor General, in the spring of 2018, the City of Ottawa was the target of a prior attempted spear phishing. In this failed prior attempt, a spoofed email purporting to be sent by the CEO of the Ottawa Public Library was sent to the City Treasurer requesting a wire transfer of funds. No money was sent as a staff of the City’s Treasury Branch contacted the Ottawa Public Library CEO to provide additional details and responded that she had not sent the original email. The incident was, however, not reported.
On August 3, 2018, the U.S. Secret Service contacted the City of Ottawa saying that funds of the city ended up in a bank account that the department had been monitoring for fraudulent activities. According to the Office of the Auditor General, nearly US$88,000 was seized by the U.S. Government from the said account, however, that amount represents the proceeds, not just from the City but from other targets as well. As such, it’s unclear how much, if any, might eventually be recovered by the City of Ottawa.
How Spear Phishing Scam Works and How It Can Be Prevented
Spear phishing, also known by various names such as whaling, fake CEO scam and Business Email Compromise (BEC), is a type of cyberattack that uses an email as a weapon. While phishing, in general, affects many people at once and targets them at random, spear phishing scams are much more targeted in their approach.
Spear phishing emails look like they’ve come from someone within the company, typically from top management or executive, such as a CEO. Recipients of spear phishing emails, meanwhile, are those who have the authority to release sensitive information or authority to process wire transfer.
Fraudsters in spear phishing scams scour the internet via social media accounts and websites for information about their target on who has the authority to order the release of funds and who does the actual releasing of funds, as in the case of the City of Ottawa spear phishing scam which particularly targets the City Manager and the City Treasurer.
According to the Federal Bureau of Investigation (FBI), between October 2013 and May 2018, Business E-mail Compromise (BEC) fraudsters earned a total of US$12.5 billion from 78,617 reported incidents worldwide.
Spear phishing scams, however, will only succeed in organizations with loose rules and regulations when it comes to releasing of funds via wire transfer. In the case of the City of Ottawa attack, the Office of the Auditor General found “dangerous control weaknesses” when it comes to wire transfer processes.
“Any one of five authorized individuals [at the Treasury Branch] could on their own both create and release a wire transfer up to $25 million,” the Office of the Auditor General said. “This represented a very dangerous control weakness.” The Office of the Auditor General Staff noted that this control weakness has since been corrected.
Cybersecurity Best Practices
The best defense in order to prevent spear phishing, whaling, fake CEO scam or Business Email Compromise (BEC) attacks, is to verify the wire transfer request. Be wary of wire transfer request based on emails alone. It’s important to establish a secondary means of communication for verification purposes, preferably in person.
The FBI warns about phone verification as some victims report they were unable to distinguish the fraudulent phone conversations from legitimate conversations. One way to counter this fraudulent activity, the FBI said, is to establish code phrases that would only be known to the two legitimate parties.
In the case of the City of Ottawa, the Office of the Auditor General recommends for stronger control procedures when it comes to wire transfer process, as well as staff training in order to identify spoofed emails and an automated process that would identify external emails received by staff and display this to the recipient in an obvious manner.