When you receive an email from a purported prince asking for help to transfer money, you have learned by now to delete it and never, ever click on any links it contains. But what would you do if you got an email from your CEO asking for sensitive corporate information?
That's exactly the situation faced by about 20 U.S. Steel Corp. employees who received an email in early 2010 from the then-CEO John Surma. But that email wasn't from Surma at all. It was instead the vanguard of a sophisticated cyber attack by a group of tech-savvy Chinese military officers bent on gaining access to U.S. Steel's computer systems, according to a federal indictment released Monday.
At least one, and possibly several, U.S. Steel (NYSE: X) employees fell for the trap, allowing the hackers to install malware that helped them gain access to the steelmaker's system.
That's a technique called spearphishing, where specific people — usually at a company — are targeted in an attempt to gain access to a computer system. And it's an increasingly used way for hackers to get into someplace companies don't want.
"They're selecting the organizations they're going after with specific information," said Amy Baker, a vice president at Pittsburgh-based security firm Wombat Security. "They're crafting emails specifically for a particular person or individuals wtihin an organization."
A hacker or social engineer only needs a bit of information, mostly available publicly, to get enough to craft a credible-looking email. That's not only the name and perhaps email from a high-placed executive like a CEO or CFO but also social media postings that identify users of various social networks as employees of a company.
"It makes it very easy for a cyber criminal to create a persona for someone who seemingly knows everything about you," Baker said
That little bit of information here, another bit of information there — along with the hacker's tricks — are sometimes enough to fool employees who wouldn't think to question an email request from on high.
"They believe it's coming from a trusted source," Baker said.
Security companies like Wombat Security teach employees to look carefully at emails before they ever click on anything, no matter who it's coming from. One lesson: Stop and think about whether it's reasonable for the person, whomever it is, to ask for that information via email. Another is hovering over the suspicious link, without clicking, to see if it's really what it says it is.
That link could click to a download of malware that could impact your computer, and your company's computer system, without you ever knowing it.
While corporate security defenses are increasing all the time, Baker said the first line of defense is the end user. Companies are counting on users to report what doesn't sound right, or if a bad link is clicked, to report it immediately.
"Keeping it quiet is the worst thing that someone can do," Baker said. "A company can be losing information the entire time."