4/18/2008
Norbert F. Kugele
Over the last few years, we've all learned to be wary of e-mail "phishing" scams, which appear to be legitimate e-mails from financial institutions or other trustworthy organizations that alert you to an alleged problem with your account and invite you to click on a link to "correct" the problem. Of course, the e-mail is a fraud, and if you follow the instructions, you may end up giving crucial account access information to a scammer and maybe also wind up with malicious software on your computer that surreptitiously records all of your keystrokes.
A more polished variation of this scam is now targeting the personal information of top executives throughout the country, in the form of e-mails that look like an official subpoena from a federal court, ostensibly requiring the recipient to appear before a grand jury. Each fake subpoena is personalized to include the executive's name, phone number, company name and correct e-mail address. When an executive clicks a link within the document for further information, however, a program secretly downloads and installs software that later records keystrokes and sends the data to a remote computer over the Internet. A second piece of the attack allows the recipient's computer to be controlled from a remote location.
According to the New York Times, researchers who have analyzed the downloaded file say less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.
Because the targets of the fake subpoena so far have been high-income people, this latest attack is called "whaling," as opposed to the general online fakery that is commonly called "phishing."
Online scams are among the biggest threats to companies today, and the criminals are getting more and more sophisticated. Because these scam e-mails are often received on work computers, they pose a threat not only to the individual who is targeted, but to the security of your company's information systems. To protect your information systems, you not only need technical controls, but you must also train your work force to be suspicious of these kinds of e-mails.
Warner Norcross & Judd battles these scams through its Privacy and Information Security Group. The group takes a cross-disciplinary approach to privacy issues by drawing on experienced attorneys in banking, health care and human resources to ensure businesses meet their legal obligations to protect electronic data and information systems. Members of the team review information security policies, audit third-party contracts, develop information security programs and train employees.
Additionally, our Rapid Response Team works with businesses that experience a data breach to limit liabilities, protect customer relationships and prosecute data thieves.
If you have questions regarding this issue or any other privacy and information security matter, contact a member of Warner's Privacy and Information Security Group.
