Support through your toughest HR challenges: A network of 285,000 HR professionals.
Shawn Premer shows how doing the right thing for employees leads to positive business results.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Scammers target executives in hopes of a big payout
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Last year, San Jose, Calif.-based tech company Ubiquiti reportedly suffered a $46.7 million loss after its CEO was the victim of a phishing scam.
Soon after, Omaha, Neb.-based The Scoular Co., a 121-year-old employee-owned commodities trader, lost $17.2 million in an international e-mail scam.
In both cases,
executives were tricked into sending the money to criminals.
It's not the first time this has happened, and it won't be the last, experts say, but there are steps HR can take to mitigate the risks of spear phishing, a type of social engineering scam also called whale phishing. It specifically targets executives.
Both are also known as CEO fraud or business e-mail compromise. They target those in charge—the so-called "big fish." Cyber thieves hope to trick executives ("whales") who have access to sensitive information or large amounts of cash into giving that information or funds away by making it seem as if the requests for funds or information comes from a legitimate source.
"As reported [in the Krebs on Security blog], for example, these types of scams are way up in the past year and are estimated to cost companies more than $2.3 billion over the past year with the average [being] $25,000 to $50,000," said Paul Everton, founder of the Chicago-based e-mail security company
MailControl, in an interview with SHRM Online.
"One example is scams where they
trick accounting or HR professionals into sending W2s and then [file] fraudulent tax returns on behalf of the company's employees," he said. "In fact, just a few months ago the IRS issued an alert about this to HR and payroll professionals after dozens of companies, including Snapchat and Seagate Technology, were victimized in February and March 2016."
In addition to tricking executives, cyber thieves will also pose as these executives to get money or information from unsuspecting employees.
Here's how it works:
Hackers often spy on executives, hack into their e-mail or use other methods of surveillance to gather data on victims before an attack. Then they use official company logos and "spoof" (that is, fake) e-mail signatures to avoid detection.
In a targeted attack, according to
The Perils of Phishing: How Cybercriminals are Targeting Your Weakest Link, a white paper published by IBM last year, "most phishing methods use a form of technical deception in order to make a link in an e-mail and the spoofed website to which it actually points, appear to belong to a trusted organization."
If the user hovers his or her cursor over the visible link in an e-mail, most web browsers or e-mail providers will reveal the real destination. Often people click on links they think are real, but are malicious instead.
"Spear phishing has been associated with most of the largest cyberattacks in recent history including the widely publicized attacks on JPMorgan Chase & Co., eBay, Target, Anthem, Sony and various departments within the U.S. government," according to San Francisco-based cybersecurity company Cloudmark.
Respondents to Cloudmark's 2016 study:
The Impact of Spear Phishing: Enterprise Survey Findings—which polled 300 IT decision makers in the U.S. and the U.K.—said these attacks were increasingly directed at C-suite executives.
Twenty-seven percent said CEOs were targeted, and 17 percent said chief financial officers were targeted. On average, the 300 respondents suffered 10 attacks involving the spoofing of a CEO for financial gain in the last 12 months.
Since 2015, cybercriminals have consistently targeted IT staff (43 percent) finance staff (43) percent and other executives because "these two departments control access to data/infrastructure and money, both of which can be solid gold to the attackers," according to Cloudmark.
The FBI points out that businesses worldwide have lost $3.1 billion since 2015 in subversions that compromised e-mail accounts. And a recent Verizon study revealed that 30 percent of people opened malicious e-mails last year.
IBM offered these tips for educating employees:
Most companies, banks and agencies never request personal information via e-mail. Don't fall prey to this most common type of phishing.
If you suspect an e-mail might be a spear phishing campaign within your company, report it to your IT department.
Be suspicious of e-mails with generic greetings like "Dear Customer" or with spelling and grammatical errors.
Don't trust e-mail attachments, even if they come from a trusted source. Unless you're expecting an e-mail with a document attached, call the sender and confirm he or she sent it. The computer might have been compromised and could be sending e-mails without the person's knowledge, or the e-mail address could have been faked.
Never reveal personal or financial information in response to an e-mail request, no matter who appears to have sent it.
Everton added that HR professionals should also:
Enable two-factor authentication to reduce the ability to send these types of e-mails from accounts if an executive's login and password are compromised.
Make sure all cybersecurity products are up to date, and consider adding specialized anti-phishing and anti-spymail services to existing spam filtering and anti-virus services.
Grant access to sensitive information only on a need-to-know basis
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Talent Attraction Study: What Matters to the Modern Candidate
HR Education in a City Near You
SHRM’s HR Vendor Directory contains over 3,200 companies