Luckily for Lyndon Brown, employees at US hotel company Wyndham International are well-trained. They know that email from the IT department always comes from the vice president of customer service in IT. So when some employees got a message from email@example.com that said IT would delete their email accounts if they didn't respond with their passwords, they didn't bite. Instead, two employees forwarded the message to Brown, Wyndham's manager of strategic support systems.
The employees' suspicions were well-founded. The message was not from IT, but had slipped through the company's email gateway from the outside because a spoofed "from" address made it look like an internal message.
No harm came of the message because no one responded to it. In fact, no one could have, since the return address was invalid. But the incident gave Brown pause. Had the return address been usable and employees less cautious, it could have been disastrous. "If a user had put in his name and password, he would have been giving access to the network away," he says.
Any company with corporate data worth safeguarding should be concerned about phishers who might pose as an internal department to trick employees into giving up passwords to corporate systems.
"Every company is vulnerable to internal phishing," says Matt Cain, senior vice president of Meta Group. "It's a matter of how strong your spam defenses are."
If they're not strong, watch out. Cain knows of one phisher who launched an attack against a company, systematically emailing thousands of possible addresses in the company's domain to see which ones were valid.
A week later, the phisher launched a second attack, culled the new addresses from the second week's list and sent that group a message purporting to be from IT. The message asked users to verify their passwords. Several new employees didn't know any better and complied. Although Cain doesn't know whether the phisher actually got at corporate data, IT nevertheless had to mop up.
At Wyndham, after IT got spoofed three times in eight months, Brown decided to shore up his spam defences by implementing MailFrontier's antifraud feature, which tells users when messages have been quarantined because they look fraudulent.
He's also trying to raise employees' awareness of what should and shouldn't arrive in email, and is considering developing an online tutorial on email dos and don'ts. In addition to investing in technology, Brown also appeals to a higher power. "I say a prayer every now and then," he says.