By Daniel B. Garrie and Yoav M. Griver,   December 28th, 2018.

Spearfishing, whaling, fishing, and all other variations of email scam are plaguing law firms,
businesses (big and small), and any company or individual who uses email.  What is driving this epidemic? The irresistible desire to reply to an email. Irrespective of the defenses deployed – be it software,  controls, tests, and policies – the pull of human nature wins much of the time.

To drive this point home, one needs to look no further than the report issued on October 16, 2018, by the United States Securities and Exchange Commission (“Commission”).  The report summarizes the results of an investigation the Commission had conducted into nine public issuers who were each the victim of cyber-related frauds, totaling more than $100,000,000.[2] The Commission correctly did not fault the victims, but it did note that situation may be symptomatic of a potential larger risk facing companies.[3] The Commission did not find that these companies had done nothing, in fact, the nine companies investigated by the Commission, for example, all “had procedures that required certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data.”[4] The report demonstrates that spearfishing is rampant today and that the current controls, training, and software are falling short.

It is impossible for companies, large or small, to reduce or eliminate 100% of spearfishing. This is because spearfishing targets human vulnerabilities, as opposed to technical vulnerabilities. Spearfishing preys on the reality that employees are overworked and overwhelmed in the workplace and often react without thinking, in derogation of training and procedure. Employees get tired; employees get tempted to respond to emails quickly to look good; and sometimes life just happens – an employee wants to get to their kid’s soccer game and misses the spoofed email address they are replying to on Friday at 4pm.

So, what is a solution?  No email? One can only dream.  For those that must continue to compete and work, and do not have millions of dollars to invest in preventing spearfishing, we offer the following insight: remove the reply feature for certain emails, or entirely for certain employees.

The solution is seemingly simple but is powerful and proven to be rather effective. Our organization has implemented, used and recommend this solution to hundreds of companies, big and small, and the vast majority found this to be an effective tool to assist in reducing the number of spearfishing incidents, somewhere between 60% to 80% depending on the entity. Using the “reply” feature eliminates any potential ability to verify and validate the right person is being addressed in an email, aside from implementing a software solution which may not be effective or useable to check/validate email communications.

Compelling a user to enter the email address into the “To” field of the email header causes the
recipient email address to be populated from the user’s existing address book. While these mechanisms can be compromised as well, it would require physically accessing the device. In order to gain access to these data streams, the bad actor would most likely have to gain access to the system, meaning the organization has much larger problems. This means that our solution does not remediate the situation when your organization has been hacked or a user is
able to gain access to your email client, but it does prevent a large percentage of the spearfishing family attacks. The solution to deploy this functionality will vary based on the email client and environment, but it can be achieved with limited costs and investment.

Eliminating the “reply” function limits the human vulnerability to spearfishing by forcing employees to consciously populate recipient email addresses. The financial employee, by being unable to immediately provide the requested information or complete the requested task, will have the time to think through his or her actions and/or be forced actually to obtain the required permission from a higher level of authority.  The solution is relatively cheap when weighed against the current investment being made and the potential losses. One can turn the reply function off for every email and user, a limited number of users, or develop a plug-in that scans emails messages for certain content and disable the “reply” function for only those emails.

The above solution is cost-effective, and when done properly in conjunction with other pieces will likely be found to be a sufficient “internal accounting control” that addresses the concern raised by the Commission in its recent report.

[1] Daniel B. Garrie, Esq.  is the Executive Managing Partner of Law &Forensics LLC, global forensic, e-discovery, and cybersecurity engineering and consulting company, a neutral at JAMS, and a Partner at ZEK LLP.  Mr. Griver is a litigator at ZEK LLP specializing in complex commercial matters and the litigation of intellectual property disputes, and a frequent writer and lecturer on e-discovery and technology issues. The views expressed herein are entirely their own.

[2] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Securities and Exchange Commission, Release
No. 84429 (issued October 16, 2018) (hereafter “Commission Report”), available at https://www.sec.gov/litigation/investreport/34-84429.pdf

[3]
Id.

[4]
Id.