Our new CEO: the 20-pound phish that got away

| In SMX Blog |
Dmarc Email Phishing

A month or so ago, SMX welcomed a new CEO – Richard Fraser.

In less than the week, phishers had thrown in their rods, hoping to use our incoming CEO as a way to get in our digital door.  

An urgent email from Richard to Jamie Callaghan, Product Manager, was well written with correct details. It was the first Jamie had received from our new CEO – but it wasn’t actually from Richard. Luckily, SMX’s whaling module did what it was supposed to, highlighting to Jamie that this email looked suspicious.


What is phishing?

A phishing attack describes any kind of online scam where attackers send emails designed to trick people into handing over financial information, sensitive info or access to other systems.

  • Business email compromise (BEC) is an extremely targeted phishing attack. Attackers assume the identities of your finance people, board members and senior management, using their positions of power to trick staff down the company ranks.
  • Whaling is another kind of targeted phishing attack, this time targeting those senior people. Perhaps the attacker pretends to a be trusted supplier or a bank.

That email to Jamie was therefore both a BEC and a whaling attack.

Incoming leadership is prime time for these attacks – everyone at a company is eager to support their new manager, and some, including the new executive, are too new to spot things out of the ordinary, like a shift in writing style or odd sending behaviour. But phishing attacks can happen at any time. One panicky email and staff can easily click links or share protected information, thinking they’re doing what they’re supposed to. 


How to keep your organisation off the hook

So what can you do to protect your people and your company? One option is to go dark: shut down your systems, block all but a few email addresses and protect the identities of your at-risk people. This means phishers don’t have the information they need to create convincing spoofs and can’t send them to your people if they did. For most organisations, that’s completely impractical – locking down your systems and staying quiet means locking out valuable suppliers and clients and undermining marketing efforts.

Install DMARC

Domain-based message authentication reporting and compliance (DMARC) is a revolution in email security. Properly implemented and managed, it defends against email spoofing, impersonation or business email compromise attacks. It’s so important that it should be considered a must-have basic– the equivalent of locking your office at night.

But, one of our recent surveys shows only 22% of Australasian organisations have DMARC policies in place. Almost two-thirds of NZ government agencies have no DMARC in place at all. That’s because implementing DMARC can be deceptively complex – and many organisations are put off by the work involved and risks to the smooth running of their company emails. Domain Protection Service from SMX is designed to overcome these issues – our experts follow a proven project flow to get DMARC installed in as little as five weeks.

Implement zero trust rules

For some organisations, zero trust rules can be useful. This is where all users, whether in or outside the organisation, must be authenticated, authorised and continuously validated. That can also include rules that always admit or reject certain content. Some users or domains can benefit from this locked down approach – it’s a question of risk vs usability and each area and individual needs different rules.

Set rules of engagement

Technology can do a lot for your security posture, but at the heart of every successful phishing attack i s a human who’s fallen for it. That means that alongside SMX’s DPS (DMARC as a service) and other technology, it’s worth implementing behaviour policies. This may be as simple as asking people to never email from a personal account or to confirm via phone call before sharing credentials or transferring money. Having those requirements will give people the confidence to pause or push back, even if they think it’s the CEO making a special request.

There are millions of domains registered globally per annum – safe to say, not the equivalent of new businesses coming onto the market. The bulk of these domains have almost certainly been set up by bad actors, which gives you an idea of the scale of the issue. That’s not to try to scare you into action – it’s more of a good reminder that there’s money to be made in the phishing business, and that simple security measures can help make sure it’s not being made from you.

Photo by Brian Tromp on Unsplash