Hey, can you send me a check for $40,000?

One common category of phishing email is known as “spear-phishing“, whereby an email is sent from an individual sender to an individual recipient with the intent of tricking the recipient into giving up information they otherwise would not have volunteered. One common variant is when the sender impersonates an executive in an organization and asks the recipient, who is a person with access to financial accounts, to transfer funds into a newly created account. In fact, we’ve received many variants of this attack ourselves, which we’ve written about in the past.

However, we’ve had many clients ask “Why doesn’t a spam filter pick up these emails if they are not legitimate?”

Historically, filters have primarily worked by analyzing each email processed looking for various traits that determine the “spaminess” of the message. For example, items that can trigger a high spam score and result in blocking a spam email include links that lead you to locations other than they say, obvious key words, a source of origin with a history of sending a high volume of spam, and so forth. However, most spear-phishing emails originate in legitimate email platforms, have no links, and don’t leverage any key words that will trigger a filter. It’s an email from one person to another asking them to transfer money, which may be a normal business request.

While many spam filters have improved their ability to block these type of messages, such as with Proofpoint’s Imposter Email Threat protection, the best defense is a Healthy Dose of Skepticism.

If you wouldn’t transfer a large sum of money if someone simply asked “Hey, can you send me a check for $40,000?”, don’t transfer funds based on a single emailed request either. One sound financial practice is to institute a multi-factor authentication policy that any time a financial transfer or purchase over a certain dollar amount is made, in-person verification is required. Unfortunately, we live in an era of “deep fakes”, so even a voice verification over the phone cannot be trusted. A well-followed trust-but-verify system will allow you to Keep Calm and Compute On.