In speaking on a panel regarding data security for the Institute of Internal Auditors last week, I became aware of a new type of security threat that is on the rise: so-called “spear-phishing” through LinkedIn or other social media networks. “Spear-phishing” is a variant on “phishing,” the fairly well-known emails that impersonate businesses with whom one is familiar and that seek to obtain personal information from the recipient for purposes of identity theft. Spear-phishing is, as its name implies, both a more specific and more sophisticated type of phishing, one that targets higher level executives within a given company for various fraudulent purposes.
The spear-phishing method that was mentioned on this panel last week was having the attacker send a spoofed email, posing as a C-suite executive in Company X, to another C-suite executive in the same company, asking that a certain action be taken urgently. In the case mentioned, it was sending money by wire to a given account. If a company does not have good internal controls (such as two-person authorizations for wires over certain amounts), and the spear-phisher avoids the usual grammatical errors and other red flags that are the hallmark of overseas identity thieves, this one may have a good chance of succeeding in some companies. Good internal controls on funds wires (as well as handling third party “money orders,” “cashier’s checks” or other negotiable instruments, which are also very commonly used in frauds) are your best protection against this type of scheme.
However, a good social media defense strategy is also in order, as fraudsters have also worked to gain access to proprietary information and/or personal information through the creation of fake LinkedIn profiles. Spotting and avoiding acceptance of these will not only save you and your company the risks entailed in these schemes, but also wasted time in dealing with communications with those behind the fake profiles. These can be fairly easy to spot if one looks for them; the key is to avoid accepting the request to link/friend anyone:
- Who is not already linked to a number of known individuals in your network (unless you have a very small existing network);
- Whose profile contains very little personal information, is very generic or contains typos or other obvious English-language errors; or – and this is rather a funny one —
- Whose profile picture is just a mite too good-looking or professionally styled for someone in your industry (you can always do a Google Image search to see if a stock photo has been used). (As we attorneys and/or other professional services workers know, you can usually tell the difference between one of us and a pharmaceutical salesperson at one glance!)
As in this and so many other areas in the data security realm, a good defense is the best place to start, and it does not have to be difficult or expensive. The data security and data privacy attorneys at Culhane Meadows are able to assist you and your company with building a good security defense from a legal perspective. As the law firm that prides itself as being Big Law for the New Economy, we offer lawyers trained by the top law firms in the country, working now in a low overhead environment, able to pass the efficiencies along to you, the client. For more information write to kverska@culhane.law, or dataprivacy@culhane.law.
This Blog/Web Site is made available by Culhane Meadows PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
