The Latest Trend Or Natural Evolution?
W2 themes are the latest trend in impostor emails. But this type of attack is nothing new, as some security companies seem to think. Sure, we have seen some recent high profile losses, but email security products with the right capabilities and right configurations have been stopping imposter threats for years.
The recent waves of attacks related to W2s and employee tax information then shouldn't come as any surprise, given that we are quickly approaching the April 18 tax deadline in the United States. It's a shift in tactics, even if the underlying approach isn't especially novel. That underlying approach is what we call "impostor email threats." Proofpoint researchers described these threats in a recent blog post, pointing out that they are natural extensions of the phishing schemes we have seen for over 20 years now.
Whether we are talking about "business email compromise" (BEC), broader campaigns going after HR or finance departments, or even more targeted spear-phishing attack campaigns, all of these threats rely on bad actors convincing users that they are someone else—someone with a legitimate reason for asking for a wire transfer or specific information.
On a typical day, looking at a small sample of our customers and just a fraction of their total email flow, we see (and block) a range of messages that clearly fall into this category. Subject lines ranged from personal and familiar - "FYI, James" or "Hello Matt" - to specific and urgent, ("WIRE REQUEST!!!", "Request for March 04,2016", and "Request For All Employees' W2s, Friday 4th March, 2016").
At the same time, sender addresses were spoofed, primarily purporting to come from CEOs and other executives. A closer look at the actual “Reply To” addresses (which end users rarely see in Outlook and other email applications) show that the emails come from a variety of vaguely legitimate-looking Gmail, AOL, Yahoo, and Outlook.com accounts, among others. We saw ceooffice0000[@]gmail.com, execpartner16[@]gmail.com, ceo.c[@]aol.com, secure[@]ceoexec1.com, along with several others that clearly didn't match the names and email addresses of CEOs plucked from LinkedIn and other online sources.
Bottom line, these types of attacks are common, pervasive, and, most importantly, sufficiently innocuous to effectively spur end users into action. Many simply aren't that suspicious. Social engineering works, and as long as it does, attackers are going to continue to refine their techniques and lures.
Hallmarks of Impostor Email Threats
As with so many phishing schemes and other email-based attacks, though, impostor email threats bear common hallmarks that should send up a red flag for users if these messages make it past your organization's defenses:
- High-level executives asking for unusual information: How many CEOs actually want to review W2 information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it's worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
- Requests to not communicate with others: Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
- Requests that bypass normal channels: Most organizations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
- Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.
- “Reply To” addresses that do not match sender addresses: This is rarely obvious in email clients or webmail applications, but impostor email threats are generally characterized by spoofed sender addresses. They may also use lookalike domains to fool recipients at a glance (yourc0mpany.com instead of yourcompany.com, for example).
What You Can Do
Many security defenses look for malicious documents or known blacklisted URLs to identify emails as suspicious. Impostor emails threats, though, rarely have these tell-tale features. They rely instead on social engineering and busy, tired, or naive employees responding to fake requests for money and information. Vigilant employees are the last line of defense against impostor threats.
Here are a few tips to keep organizations safe in the face of these increasingly common attacks:
- Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China.
- If something doesn't feel right, it probably isn't. Encourage employees to trust their instincts and ask "Would my CEO actually tell me to do this?" or "Why isn't this supplier submitting an invoice through our portal?"
- Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager is quickly going through emails, she is less likely to pause and consider whether a particular request is suspect.
Perhaps the most important message is that robust email, network, and endpoint security solutions must work alongside user-education initiatives. Cyber criminals aren't just relying on exploits and malware anymore. They're having too much success with social engineering approaches, meaning that people are as much a part of the solution as software and silicon.