Spear-phishing Criminals Target All Employees, Not Just Executives

A cybercriminal was able to obtain $2.6 million from the government of Puerto Rico using a phishing email.

On January 17, Puerto Rico's Industrial Development Company received an email containing fraudulent information about a change to the bank account for remittance payments. Unaware that this email was a phishing scam, the agency transferred $2.6 million to the new account. Agency officials eventually discovered they had been scammed by phishing tactics and contacted the Federal Bureau of Investigations. Government officials are now working to recover the lost funds.

It is unclear how the fraudulent email was discovered; however, an internal investigation is being conducted to ascertain whether the loss was due to negligence or failure to follow proper procedures. Danica Coto "Official: Puerto Rico govt loses $2.6M in phishing scam" 13wham.com (Feb. 12, 2020).

Commentary and Checklist

Cybercriminals have used phishing scams since the 1990s beginning with a group of hackers contacting people via the America Online messenger system to access personal information.

Since then phishing scams have become extremely sophisticated, allowing cybercriminals to bypass email security features and send personalized scams to targeted individuals. Phishing emails are now nearly indistinguishable from the reputable emails they copy.

Phishing attacks are responsible for 90 percent of data breaches and 15 percent of people successfully fooled by a phishing email are likely to be targeted again within the year. As technology evolves, cybercriminals adapt and find new ways to trick readers and gain access to sensitive company information.

An increasingly common tactic used by cybercriminals is personalized phishing emails or spear-fishing. The availability of information online has allowed cybercriminals to browse social media and learn how to craft the most convincing phishing email full of personal information to make their requests seem legitimate. By looking at social media, cybercriminals can determine the name, title, and employer of an individual as well as those they work for.

Using a technique to spoof the email address of a manager, IT staff member, or HR professional, scammers send a very personalized email to their target. Individuals are likely to fall for these scams because they appear to be from a trusted source with accurate information.

While it is common for cybercriminals to disguise themselves as an employee's manager to gain information, low-level employees are not the only people targeted by phishing emails. Cybercriminals will also target high-profile individuals in an organization or even government officials who have access to valuable information.

As organizations increase security features to prevent phishing emails, cybercriminals are developing new ways to get around them. The best way to prevent data loss is to use a proactive approach.

Therefore, in order to reduce the risks of phishing scams, organizations should:

  • Train employees regarding cybersecurity on a continuous basis
  • Remind employees to double-check email requests with the sender if an email seems suspicious or unusual
  • Install anti-phishing applications
  • Use strong firewall and network protections
  • Install antivirus and anti-malware software
Finally, your opinion is important to us. Please complete the opinion survey: