back to blog

Spear Phishing and CEO Fraud Hit HR: What You Need to Know

A spear fisherman in the ocean

It may sound fun, but spear phishing is a serious cybercrime that has robbed U.S. companies millions of dollars. One of the newest and costliest forms of spear phishing is CEO email fraud. Here’s how it works: An online scammer cloaks their email to look like the company’s CEO and then asks the HR department or other workers for W-2s, wire payments or other sensitive data. At face value, these emails look legit (here’s an example). And they rely on what is often a company’s weakest access point: humans.

“[This] latest iteration in social engineering involves multiple steps,” says Asaf Cidon, Vice President of Content Security Services at Barracuda Networks, explains for CSO Magazine. “The sophisticated cybercriminals don’t try to target company executives with a fake wire fraud out of the blue. Instead, they first infiltrate the organization, and then use reconnaissance and wait for the opportune time to trick their targets by launching an attack from a compromised mailbox.”

Locally, employee W-2 information from both The Austin Diagnostic Clinic Association and Rockdale Independent School District was compromised in 2017 by spear phishing scams. Employee records for the City of San Marcos were also compromised. And a remarkable $100 million was lost by two major tech companies (rumored to be Google and Facebook) to a Lithuanian scammer who used a combination of spear phishing techniques: executive email fraud and fake invoicing. Even The HT Group is hit regularly by attempted CEO email fraud, from requests for employee reward gift cards to fake contract PDFs.

Cidon says spear phishing often works because of who it targets: mid-level employees in sales, marketing, support, and operations. “These employees don’t receive cybersecurity training and are more susceptible to opening these types of emails,” he adds.

The IRS issued a special alert about these scams, which were part of a 400-percent surge in phishing and malware incidents recorded during the past tax season.

“If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” cautions IRS Commissioner John Koskinen. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

Of course, that’s easier said than done. Harvard Business Review reports that no matter the size or the scope of an email breach, it’s usually caused by an action, or failure, of an employee (even a well-meaning one). And according to Trend Micro, a whopping 91% of these data breaches begin with a spear phishing email.

Companies like Barracuda and KnowBe4 offer solutions like filters and patches, training for employees and attack simulations. KnowBe4 even offers a free phishing security test, allowing companies to mock-phish up to 100 employees to see how vulnerable to attack they are. But, before going down that path, consider this advice by NS Tech contributors and security researchers Steven J. Murdoch and M. Angela Sasse. They point out that mock phishing can cause more harm than good when not handled correctly. If you conduct it in a “gotcha” manner, the mistrust, anxiety, and alienation it could cause will certainly threaten employee satisfaction. They recommend starting with well-engineered and promptly patched systems, phishing-resistant authentication credentials, compartmentalization of data, effective monitoring, and good backups to help mitigate the threat.

And of course, it doesn’t hurt to assure employees it’s OK to question the CEO, especially when asked to bypass normal security protocols. Picking up the phone or even sending a separate email to confirm the request could save your company thousands—maybe even millions.