Spearfishing Can Be Stopped Once You Remove The Bait
November 29, 2018
By Daniel B. Garrie and Yoav M. Griver
Spearfishing, whaling, fishing, and all other variations of email scam are plaguing law firms,
businesses (big and small), and any company or individual who uses email. What is driving this epidemic? The irresistible desire to reply to an email. Irrespective of the defenses deployed – be it software, controls, tests, and policies – the pull of human nature wins much of the time.
To drive this point home, one needs to look no further than the report issued on October 16, 2018, by the United States Securities and Exchange Commission (“Commission”). The report summarizes the results of an investigation the Commission had conducted into nine public issuers who were each the victim of cyber-related frauds, totaling more than $100,000,000. The Commission correctly did not fault the victims, but it did note that situation may be symptomatic of a potential larger risk facing companies. The Commission did not find that these companies had done nothing, in fact, the nine companies investigated by the Commission, for example, all “had procedures that required certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data.” The report demonstrates that spearfishing is rampant today and that the current controls, training, and software are falling short.
It is impossible for companies, large or small, to reduce or eliminate 100% of spearfishing. This is because spearfishing targets human vulnerabilities, as opposed to technical vulnerabilities. Spearfishing preys on the reality that employees are overworked and overwhelmed in the workplace and often react without thinking, in derogation of training and procedure. Employees get tired; employees get tempted to respond to emails quickly to look good; and sometimes life just happens – an employee wants to get to their kid’s soccer game and misses the spoofed email address they are replying to on Friday at 4pm.
To read the full article, go to Law360