"Previously, it was typical for company employees to communicate by email and to make transfers of funds--even overseas," said Troy Police Sgt. Meghan Lehman. "But in this case, someone hacked the account of the sender requesting the funds. And then [it] was days later before anyone questioned the transaction and learned they had been hacked."In a spear-phishing (or whaling) campaign, attackers use personalized emails to lull a victim into a sense of familiarity with the sender so that they will be more inclined to click on a suspicious link, download a malicious email attachment, or send over sensitive company information, including W-2 information.
“To be honest we're seeing both types of whaling on the rise. There is evidence to suggest the cyber criminals are using malware resident on the machine, such as Dridex, to give them enough intelligence on a target to help them decide what type of attack to carry out," Scott-Cowley told SCMagazine in an email. "So an HR user might be targeted with a W-2 style attack, whereas as a finance user would be stung with financial fraud. Then again domestic or low-value targets might just be sent a crypto malware instead, so as to extort a few hundred Bitcoin from them.”Since suffering the spear-phishing attack, Pomeroy has alerted its insurer to the theft. The company has also revised its internal policies so that money transfers of a similar size will need to be processed by a method other than email in the future. News of this attack follows just weeks after an unidentified American corporation lost $100 million in a successful spear-phishing attack.