Don’t be a hogfish. If you have ever been spearfishing, you know that hogfish make for easy targets. These amber colored reef dwellers, adorned with coral-like latticework along their heads and across their abnormally long snouts, suffer from a terrible sense of false security.
Typical predators they can identify. But a human toting a spear gun? That’s a curiosity, one the hogfish often finds worthy of a slow tilt of its body and a long sideways stare – perfectly positioned for a kill shot.
Are You A Target?
In the world of finance, spear-phishing (with a “ph”) poses a serious threat, and those unprepared to defend against such attacks pay a terrible price. Spear-phishing is defined as “[t]he fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.”1 The practice is already pervasive…and growing. The APWG, an international coalition dedicated to responding to cybercrime, reported over 1.2 million phishing attacks in 2016, a 65% increase over 2015.2 It’s difficult to determine just how many of those general phishing attacks constituted spear-phishing, but recent studies suggest that 91% of cyber attacks start with a spear-phishing email.3 These numbers should alarm participants in every industry, but those in the financial industry are particularly valuable targets and squarely in the crosshairs of cyber criminals.
Just last month, sophisticated hackers specifically targeted corporate executives that file Form 10-K’s with the Securities and Exchange Commission.4 The email purported to be from EDGAR, the SEC’s filing service, and the sender’s email address showed up as “filings@SEC.gov.” The fraudulent email included a malicious attachment entitled “Important Changes to Form 10-K.” The attack prompted the SEC to release a statement notifying all EDGAR filers about the scam and warning that “[c]licking on the attachment(s) results in an attempt to install malware designed to obtain unauthorized access to the recipient’s computer and/or network.”5 Emails like this are effective because they target the very people who would expect to receive such a message. In this instance, the hackers targeted past EDGAR filers and employees with titles like “SEC Reporting Manager.”6
One can hardly fault individuals who fall for such pinpointed attacks. After all, conducting business in the modern economy requires an enormous amount of online activity and reliance on multiple technology platforms. However, individual failures can wreak havoc on the larger organizations of which they are a part. Ask Hillary Clinton, whose presidential campaign was ravaged by leaked emails obtained by hackers after campaign manager John Podesta clicked on a malicious link purportedly from Google.7 Or Yahoo, and its 500 million users who suffered data breaches when a single Yahoo employee fell victim to a spear-phishing attack.8 These high-profile attacks illustrate a broader point that applies to every participant in every industry: train your employees.
Foster a Culture of Cyber Awareness
At WealthForge, we follow a comprehensive cybersecurity framework that includes regular training for every team member. These training sessions increase awareness about cyber threats and stimulate quality discussions about what we, as an organization, can do better to protect the company, our partners, and our clients.
In addition to employee training, consider the following steps to combat spear-phishing and other cyber threats:
- Formalize a comprehensive cybersecurity policy - Written guidelines establish structure, encourage compliance, and hold employees accountable.
- Develop a strong password policy - A good password policy establishes minimum standards, requires users to periodically change passwords, and implements a process to verify compliance.
- Employ firewalls and advanced detection systems - These preventative applications help hedge against employee-error by monitoring network traffic and detecting malicious software.
- Segregate networks and safeguard VPN access - In the event of a breach, segregation and encryption helps isolate and mitigate the damage.
- Conduct regular audits of employee compliance and practice penetration testing - Knowing the vulnerabilities in your cyber environment is key to combating breaches.
- Implement and test an Incident Response Plan - Increased efficiency in the face of a cyber attack is paramount to limiting the resulting damage.
These are just a handful of practical steps that can help set the course for a more secure cyber environment. The rise of spear-phishing and its recent impact on organizations ranging from the SEC to Hillary for America highlight the ever-evolving nature of cyber threats. The first step to combating these sophisticated attacks is recognizing the threat and adapting to the new reality. Anything less could leave you, and your clients, perfectly positioned for that kill shot.
Download the Broker Registration Requirement E-Book
1 Oxford Dictionary, https://en.oxforddictionaries.com/definition/spear_phishing.
2 Phishing Activity Trends Report: 4th Quarter 2016, APWG (2016), available at http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf.
3 See, e.g., Enterprise Phishing Susceptibility and Resiliency Report, PhishMe, Inc. (2016), available at https://phishme.com/2016-enterprise-phishing-susceptibility-report.
4 Kristyn Hyland, Don’t Go Phishing for a New Form 10-K, Bloomberg BNA (March 9, 2017), https://www.bna.com/dont-go-phishing-b57982084973.
5 Notice Regarding Phishing Scam Targeting EDGAR Filers, U.S. Securities and Exchange Commission (March 8, 2017), https://www.sec.gov/oit/announcement/notice-regarding-phishing-scam-targeting-edgar-filers.html.
6 Jeff John Roberts, Fake SEC Emails Target Execs for Inside Information, Fortune (March 7, 2017), http://fortune.com/2017/03/07/sec-phishing.7 See Steve Kovach, FBI: Russian Hackers Likely Used a Simple Phishing Email on a Yahoo Employee to Hack 500 Million User Accounts, Business Insider (March 16, 2017), http://www.businessinsider.com/fbi-yahoo-hackers-used-spear-phishing-email-gain-access-500-million-accounts-2017-3.
Disclaimer: WealthForge provides this information to our clients and other friends for educational purposes only. It should not be construed or relied upon as legal advice.