A CEO said that his controller had just received an email, ostensibly from him, asking her to process an urgent outgoing payment.
Everything about the letter looked legit.
"It has my display name, spelled correctly," said Kevin O'Brien, co-founder and CEO at Belmont, Mass.-based GreatHorn. "There are no attachments. There's nothing in the email that's misspelled. My signature line was copied from my real emails."
The text of the email was totally something that a CEO might say.
"Hi Caitlin," the message said, addressing the company's controller, Caitlin McLaughlin. "Are you available to process an outgoing payment today? Let me know and I will send the payment details as soon as I receive it from the consultant shortly; I am traveling and this is urgent."
The only mistake was that the sender's email address spelled GreatHorn with two Rs instead of one, but that would have required eagle eyes to catch.
In addition, some email clients would only show the display name, not the actual email address, said Yoel Alvarez, IT security engineer at Philadelphia-based Hersha Hospitality Management.
"To the untrained eye, this is going to look like a legitimate email," he said. "It bypasses any form of security."
Trained users might also be put on alert by the urgency of the email and the part about the executive traveling, and might delay the transaction until they received definite confirmation from the CEO by contacting him by phone or text on a number that they already had for him.
But what if the email simply asked her something completely innocuous? Scammers will ask simple questions, questions that any co-worker or customer might ask, in order to expand their knowledge of the company, get a feel for email style, and develop relationships with staff.
These communications may also take place via social media channels, web forms, or even phone calls, said Kevin San Diego, vice president of product management at Cloudmark, which offers a spearphishing detection tool.
Traditional security email gateways or spam filters don't help when it to comes to spearphishing, he said.
"These attacks are highly targeted, with a single message in the email campaign, uniquely crafted for that particular recipient," he said.
And the messages can be very innocuous, with very simple requests that pose no risks to the company at all.
Scammers will also send out fake marketing emails in order to trigger replies from vacation autoresponders -- not only does this give them the employee's email signature, but it also tells them that the employee is on vacation and when they will be back.
The scammers can then work their way up to asking for the wire transfer, the W2 records or other proprietary data.
But there are some tell-tale signs, he added, that may not be readily apparent to the recipient.
Kevin O'Brien, co-founder and CEO at GreatHorn
"We look at the IP address of the sending domain, the age of the domain, the DNS servers that are being used, all those elements," he said.
The average cost of a spear phishing attack is $1.6 million, according to a survey released earlier this year by security firm Cloudmark and research firm Vanson Bourne, and 73 percent of respondents said that spearphishing was a significant threat.
Over the past 12 months, 27 percent of organizations received a targeted spearphishing attack, according to a report released today by Osterman Research. And 11 percent of organizations were successfully tricked.
"That's a little sobering," said Tim Helming, director of product management at DomainTools, the company that sponsored the research.
In addition, only 33 percent said that user training was "excellent" at effectively stopping these attacks, and 58 percent said it was moderately effective.
But there are some tools already available that can help catch many of these attacks, and some systems on the market can quickly react to new kinds of approaches and block them before they do damage.
Learning to spot the patterns
The most interesting technology hitting the market uses machine learning to spot suspicious patterns.
For example, the email to the GreatHorn controller was caught by GreatHorn's own security product, a cloud-based detection system that works with Office 365 and Google email platforms.
"Within 20 seconds, we recognized that it was likely an impersonation of our domain name, that it was likely fraudulent, that it was looking for a wire transfer, and instantly removed it from her email box," said O'Brien.
The cloud-based approach allows all of its customers to be instantly updated whenever a new type of fraudulent email shows up anywhere else.
For example, one recent tactic is for the scammer to create a personal email address for the CEO or other executive with, say, Gmail or another popular email provider. If the name is already taken, they will add a middle name.
How many people know the middle names of their company executives?
To make it more believable, the scammers will add the executive's real picture, a line like "Sent from my iPhone" at the bottom of the email, and send the message in the middle of the night.
"The email typically says 'are you in the office, if so give me a call back or email me' -- it's just to see if someone responds to that email address," O'Brien said. "We saw a rise of that in the last couple of months."
Once GreatHorn spotted that pattern, the update was immediately available to all users, and GreatHorn went a step further and developed new functionality to track legitimate personal email addresses.
O'Brien confirmed that his company does have to be able to see the emails in order to spot the known patterns and identify new ones.
"We're using the APIs protected by Microsoft and Google," he said. "You're not changing your email transmission -- it all remains entirely within the Microsoft or Google ecosystem. And all of our analysis of email content is done in a very narrowly-scoped environment. We never write it to disk, we never store any email content from any client ever, we do our analysis in memory."
The system originally started out as a tradition rules-based expert system, but now the majority of the back end is unsupervised machine learning, he said.
GreatHorn isn't the only vendor looking for new fraud techniques across a wide customer base.
IronScales, for example, offers fraudulent email detection as software-as-a-service to more than 100 companies with anywhere from 50 to 40,000 employees.
"New phishing attacks -- zero-day phishing attacks that are just emerging in the last couple of minutes -- our machines are trained against them and can create real-time signatures to make sure they're intercepted," said Eyal Benishti, CEO at IronScales.
And if anything does slip through, all it takes is for a message to be flagged as fraudulent by a recipient.
"Our machine is able to extract all the parameters of this fraud," he said. "And from that point on, the more frauds that we see, the better the machine is at predicting other attacks that look very similar to that kind of attack."
Nothing is foolproof
Palo Alto-based Medallia, which sends out customer surveys, started using GreatHorn to catch spearphishing attacks this past spring.
"Our CFO was getting almost daily emails from our CEO asking him to wire transfer large sums of money," said Jonathan Hansen, the company's head of IT.
There was a training program already in place, but the emails were getting really annoying, he said.
The initial setup required two people and about half an hour of time, but the company is still working on fine-tuning the system.
It now catches about 90 percent of fraudulent emails, Hansen said.
"We look at it about once a week, just to see what it's catching, if there might be false positives or false negatives," he said.
There's an email address dedicated to false positive and false negative emails, and those reports are used to fine-tune the settings.
"You have to set proper expectations," he said. "Even the most advanced system isn't going to be 100 percent."
Hersha Hospitality Management's Alvarez said that his company has used the GreatHorn service for about a year, and administrators have a dashboard where they can see all the emails coming in and get warnings about suspicious messages.
Proper configuration can help eliminate false positives, he said, and block fake emails from getting through without being caught.
Every week about a quarter of a million email messages land in employee mail boxes, he said.
"At 5 to 10 percent of those emails are suspicious and we have flagged them," he said. "It's another layer of security."
Basic email hygiene also helps
One of the common elements of many of the spearphishing scams is that the identity of the sender of the email is fraudulent.
And there are some basic things that companies can do to guard against some of these attacks.
Most attacks, in the end, are common attacks, by unsophisticated attackers, said Oliver Muenchow, founder and CEO at Lucy Phishing GmbH, who gets paid to spearphish companies to test their security processes.
"But the really structured ones, targeted against the company, those are really hard to defend against," he added. But folks without technical skills and those looking for lowest-hanging fruit will be deterred.
For example companies should check that they are using SPF, DKIM and DMARC effectively. These are common approaches to verifying the authenticity of email messages.
"In an ideal world, everyone would use DMARC," said Bill Leddy, chief architect at ZapFraud. "But not all senders use DMARC and not all receivers use DMARC."
ZapFraud's fraud-detecting firewall product uses DMARC among other indicators to catch fraudulent emails.
DMARC ensures that an email that pretends to be from, say, your company CEO is actually from your company CEO, and that the email from the bank is actually from the bank.
"It solves the problem of fake domains where the sender and receiver both use DMARC," he said. "I've seen that Microsoft and Gmail are going to be raising the bar, and if something isn't signed by DMARC, they will indicate it."
[ MORE SCAMS: From start to finish, inside a PayPal Phishing scam ]
It won't catch the email from a fake Gmail account, because it is, in fact, from Gmail, and there are many other blind spots as well.
But it's a first step.
"You'll be surprised how many people don't deploy it," said Ryan MacDougall, senior penetration tester at Coalfire Labs.
In addition, if the email servers aren't configured correctly, scammers can create email messages that look like they came from those very servers.
"It's rare that people actually block emails based on SPF records, and DKIM signing is the same thing," he said. "People are afraid to block legitimate email and don't take the time to properly test it. And if legitimate emails get blocked they just wind up turning it off. But the ones who do have the time to set it up are a little bit safer than the rest."
Another basic technique is to check for new domain registrations, which will not only help companies spot potential spearphishing attacks, but also helps guard against cybersquatting and malicious emails targeting outside users.
This is a common service offered by brand protection firms, said MacDougall.
"It's worth it for companies to look for these new domain registrations because it's hard to users to recognize them," he said. "Minor changes can be almost invisible to the end users."
For example, he said, "M" can be switched for "RN" -- in lower case, the two look almost identical.
When hired to do a penetration test, that's one of the first things he does, he said.
"We'll either try to get company.co or company.us, because most companies don't register those top-level domains," he said. "When we can't do that, we'll throw in mixed letters."
Another step that companies can take when they notice a spoofed domain is to spend a little time investigating who set it up, and what else they're doing, said DomainTools' Helming.
Once an attacker has picked a target, they might keep coming back with new approaches.
"If you block off all of their domains, not just the first one, you can protect yourself from future attacks," he said.
He also recommended that companies record the forensic data of spearphishing emails.
[ ANOTHER PHISHING ATTACK: Inside a phishing attack ]
"You can unlock a tremendous amount of information that you can use to protect yourself or share with investigators," he said.
Meanwhile, basic security measures such as anti-malware and document loss prevention technologies can also help reduce the overall risk of successful spearphishing scams.
Removing unnecessary privileges also helps, said Joseph Opacki, vice president of threat research at PhishLabs.
"If those accounts or computers are compromised, then they are not going to have as large an impact on your organization," he said.
But at the end of the day, no solution is going to catch all attempts to scam company employees.
"We believe it's a people, process, technology issue," he said.