Phishing emails sent to business users are nothing new. Phishing emails appear to come from legitimate businesses asking the recipient to enter some type of information or click on a link.  Although they look real, they’re really gathering personal or business data for nefarious purposes.

In Northeast Ohio, we’re seeing an increase in phishing emails requesting account transfers. This is especially concerning because the requests are being sent to the financial person in what appears to be a legitimate email from the company CEO.  Without proper diligence, you could be handing over your account information to a cybercriminal.

Here’s how it works:

Bad actors use public sources to determine the chain of command.  Public sources could be public websites, LinkedIn, and even Facebook.  They specifically look for the finance person and the CEO (often, these email addresses are available on the company website).  Then they “spoof” an email from the CEO to the CFO to try to get your account number.  Once they have that, your account will be drained.  Remember, these fraudulent emails LOOK REAL.

What to do if you receive an email requesting financial information or an account transfer (even if it looks legitimate):

Always make a phone call or create a new email to ask the sender if the request is legitimate – do NOT reply to the original email.  You might also check with your bank.  Let them know that you are a target of a spear phishing attack and want to do all you can to protect the banking assets.  They will likely have some tools available that can offer protection.

Additional suggestions:

  • Create an internal policy that ACH/wire bank transfers must have a verbal verification with two internal people. This prevents an email alone from triggering a banking transfer.
  • This is not new, but worth repeating. For all users, never ever put account info (routing, account numbers, banking info, credit card info, etc.) in an email.
  • There are a number of technology tools that can help you gain extra protection beyond anti-virus, anti-malware and regular patching.  Talk with your IT advisor to learn more.

While spam filters may keep some phishing attempts at bay, it is very difficult to keep spear phishing attempts from getting through because the emails are so carefully crafted.   In general, always be vigilant with your email.