Transitioning to a paperless office in the cloud can be a great move for your business, cutting costs and making it easier to access your files from anywhere. But it can present an increased risk of sensitive data leaving your organization via email or online attack.
More and more attackers are targeting businesses and trying to trick employees into wiring money or sending personnel files through CEO impersonation attacks. These are a type of spear phishing attack, meant to look like they are from the CEO (or another high-level employee) sent to a lower level employee (more on phishing on this blog). These attacks are usually highly targeted and rely on the fact that lower level employees don’t always have direct contact with the leadership team and wouldn’t ask too many questions if asked to send information to them.
A common scenario is an email that looks like it’s from a high-level employee to an HR employee asking for personally identifiable information for employees – like a copy of a W2 or for payroll information for employees. Snapchat recently fell victim to this.
These files can then be used to steal the identity of these employees or sold on the black market (so someone else can steal their identity).
What to watch out for
There are a few questions every employee should be asking when they get an email requesting some sort of action (whether it’s to open a file or to send information). Answering these questions can potentially raise a red flag and let you know there is something wrong.
Do you really know who is sending the email? Do you recognize the sender and their email address? Is it the correct email? Is the From: name formatted correctly?
Is the message consistent with what you would expect from the sender? Is the tone consistent with the way they normally speak and write? Does it look like emails from that sender (fonts, colors, signature, etc)
Is the sender asking you to open an attachment or access a website? Hover over the link to see the URL – does the URL match what you’re expecting? Is the domain in the URL or file name of the attachment related to the content of the message?
Please note, even if you don’t immediately see something amiss, this doesn’t guarantee the email is legitimate. It is possible for more advanced (or more dedicated) attackers to spoof a legitimate email address. If someone is targeting your company very specifically, they have a spent the time to learn enough about your company and leadership team to imitate their emails pretty convincingly.
What to Do to Protect Your Files
There are some steps you can take to mitigate the risks of your company falling victim to CEO impersonation attack:
Train all employees on data security best practices and what to look out for: This the biggest key to data security. Everyone in your company regardless of role should be trained in data security – and regularly retrained as threats evolve. Even outside of CEO impersonation attacks, it only takes one employee accidently clicking on a bad link or opening a malicious attachment to put your whole company at risk.
Limit who has access to personnel files: The more people who have access to sensitive data, the bigger the risk. Store files in a location where you can restrict access based on the employee. If you’re using Office 365, Sharepoint has some nice functionality for this.
Implement Data Loss Protection: Some email services (like Office 365) have the capability to implement data loss protection. These are basically a set of customizable rules that check emails before they’re sent to make sure sensitive data isn’t being emailed out. We’ve written more about it in this blog.
Implement a good spam filter: A a good spam filter will stop the more obvious phishing emails. This isn’t 100%, though - just as legitimate messages can be caught by a filter, well-crafted, malicious messages will pass through a spam filter. Employees need to be trained that an email making it through a spam filter doesn’t automatically mean it’s legitimate.
As an Individual
- Never give out passwords or other sensitive data over email.
- Do not click on links in email, especially from unknown sources. Pull up your browser and go to the website there rather than clicking. For example, a user who receives a message from LinkedIn should open a new web browser window, navigate to LinkedIn, and log in, rather than clicking on the email link. If the email is legitimate, the notification will be in the LinkedIn notification system.
- Trust your gut and double check everything – if something looks funny or just doesn’t feel right, don’t open it and don’t respond to it. It’s better to take the extra few minutes to double check with the sender to make sure it’s real.
- Follow basic data security best practices in and outside of the office. Here’s a short guide to get you started.
Don’t let CEO impersonation attacks dissuade you from considering the cloud or a paperless office from your business - and don’t think you are safe just because your information is stored on a server at your office or in paper form. Any company can be a target. With the right security measures in place and a well-trained staff will go a long way to keeping you safe.