As far as some people are concerned, if you're a CEO, you're a whale.
No, that doesn't mean you could stand to lose a few pounds-it means you could be a victim of "spear phishing" scams. Why? Because you have access to the files or inside information crooks want.
You could be a target, and so could your business accounts. After all, why would criminals want to scam someone who has an account balance of $500 and a credit card with a $1,000 limit when they could tap into accounts with $250,000 or credit cards with a $100,000 maximum?
Business accounts are a growing portfolio segment at many credit unions, and it's important to protect them. A study by Guardian Analytics found that although executives are careful about e-mails involving their personal accounts, they can still be tricked by clever messages claiming to come from the IRS, FBI and other institutions.
When they were hit by scammers, 40% moved their business banking to another institution. Eleven percent moved everything, and 29% shifted their primary cash management services.
Peter Cassidy, secretary general of the Anti-Phishing Working Group, said spear phishing is a growing problem.
"Attacks on small businesses have become much more frequent," he said. Scammers want to get to people who have executive authority. Financial institutions are also targets.
"They're focusing their attention away from consumer account phishing to corporate account phishing. If they find someone who has $50,000 signature authority, their day is made. The credit union needs to be aware that every single executive or officer or management professional who has signature authority is absolutely a target."
But how do crooks gain the confidence of CEOs and other top executives and get valuable inside information from them? They do their homework, often on the Internet, and learn as much as possible about their targets. For example, a caller may introduce himself as someone you served with on a panel several years ago.
"Things that look legitimate, and appear to be genuine requests for information, might be fraud," Cassidy warned.
A popular scheme involves vendor phishing. Let's say Acme Office Supplies, a longtime vendor, sends notice of a change of address and bank. The people in accounting diligently record the change. An invoice from Acme soon arrives and is paid.
The only problem is the original notice didn't come from Acme. It was generated by a scammer who had learned that Acme was a vendor to the business being scammed.
As financial institutions, credit unions are indeed targets. APWG reports show that by the end of 2009, financial services was the No.1 industry targeted by phishers, with 39% of all attacks directed at the financial sectors. Payment services ranked second at 33%.
A credit union merger-so common today-may also trigger a phishing attack. The crooks read about two credit unions merging, and send out a mass message to all the e-mail addresses they can find in the area codes served by the two credit unions. The e-mail indicates the credit union needs an account number and other information to reauthorize the member's account. The merger becomes the hook to persuade the member to provide information the scammer needs to access the account.
As for scammers giving priority to businesses, Cassidy envisions a clever crook checking business directories in the area codes affected by the merger and sending a similar e-mail to the businesses. If one of them happens to be a business member and falls for it, the scammer notches up another success.
A credit union that has worked for years to establish its brand may be a target. Once only the largest banks were targeted, APWG said. Now banks, credit unions and businesses of all sizes are seeing their names exploited in a variety of fraud schemes.
The prime example of an attack on a financial institution, Cassidy said, is the 2008 scam against Citibank by Nigerians who deceived the bank into wiring $27 million to banks in six or seven countries. The transfer was based on a fake Ethiopian central bank document.
Scammers are also getting very skilled at making deceptive phone calls, Cassidy said.
"The phone call is probably the most dangerous," he said. "They can really get good at it after a few years. That guy on the phone who claims to be from NCUA and wants a little bit of information to finish a report may be a gangster. It's a weird way to look at the world, but that's the way it is.
"Don't let an inbound call tell you what you're going to hand over. The request can wait for five minutes. Most of your correspondents already have the information they need. Even if you recognize the name, go to the normal directories you've used for some years. Make an outbound call and ask if they indeed phoned you."
Robert Siciliano, a personal security and identity theft columnist, received an e-mail inviting him to speak at Middlesex University in London. After a back-and-forth exchange, the contact agreed to a handsome speaking fee and asked Siciliano to send more than $800 to cover processing fees for documents from British authorities.
Unfortunately for the scammer, he picked the wrong target. Siciliano's background in security allowed him to recognize the scheme for what it was. But the fact that the crook knew so much about him illustrates how thorough the scammers can be.