The largest cybersecurity incidents often start by an unwitting employee clicking an attachment to a document or responding to a seemingly legitimate email. The recently released 2016 Symantec Internet Security Threat Report found that one particular type of incident—phishing—has been gaining ground rapidly. Phishing, generally, is a scam by which an email user is duped into revealing personal or confidential information that the scammer then uses illicitly. A typical phishing scenario may be as follows: A CEO sends an email to a human resources employee requesting a PDF of all W-2s for current employees. The HR employee replies to the email, attaching the requested information. However, that information was not requested by the CEO; it came from a hacker, and all of that information is now in the hacker’s hands. This type of scam does not involve any complex software, but rather some targeted social engineering, fake email domains, and sometimes even some well-placed telephone calls.
Specifically, Symantec Corp. reported that the legal and finance departments at companies have increasingly been targeted with well-crafted phishing attacks, some of which included wire transfer attempts; successful attacks often cost affected companies millions of dollars, most of which cannot be recovered. For example, Ubiquiti Networks Inc. disclosed late last year that it had been the victim of a phishing attack. Someone impersonating an employee requested wire transfers that resulted in transfers of funds aggregating $46.7 million held by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties; the company was only able to recover a little over $8 million. Blogger Brian Krebs reported that phishers made off with $17.2 million from Scoular Co., an employee-owned commodities trader in Omaha, Nebraska—an executive wired the money in installments to a bank in China after receiving emails instructing him to do so. Indeed, the FBI reports that over 7,000 victim companies have lost $750 million in the United States between October 2013 and August 2015; this form of swindling has grown over 270 percent since January 2015.
