They might write just like your boss. They might even ask how your recent vacation went or congratulate you on your new promotion. But they might just be hackers.
That’s the message from email security firm Vade Secure, which warns that spearphishing attacks looking to trick employees into parting with company secrets or funds are getting more sophisticated at mimicking corporate executives.
While phishing attacks were once often identified by brusque, broken English, they now often go to greater lengths to imitate the people they’re impersonating. Smart attackers can comb through social media to get a sense of how corporate leaders write and find out something about their targets, so they can initiate an exchange by referencing recent events like vacations or job changes, says Vade Secure chief solutions architect Adrien Gendre.
“They’re trying to create a trust relationship between themselves and the recipient,” he says. “They will just start a conversation, and they will sound very casual about it.”
Attackers often also now use email addresses outside the target corporate domain, like addresses from free email providers, while changing the account name to match whoever they’re imitating. That makes it hard for some security software to stop the attacks, since they’re not forging a return address and it’s often not practical to block external email that comes from someone with the same name as an employee.
Machine learning-based products can pick up on new phishing tricks, Gendre says, but ultimately it’s important for companies to put in place policies to verify sensitive requests that come in by email. Even if it really sounds like your boss (or your boss’s boss’s boss), it’s usually a good idea to pick up the phone and call before pulling the trigger on a money transfer or responding with sensitive data, he says.
“You need to put a process in place where for every request that is done by email, you pick up the phone and you confirm that request,” he says.