Barclays has stepped up its email security for all staff members, after its CEO Jes Staley was tricked into emailing with someone pretending to be the bank’s chairman, John McFarlane.
Staley had a full email conversation with the person, reportedly a disgruntled customer. The ploy was simple—the person merely set up a free Gmail account with the user name john.mcfarlane.barclays. Then, just after the financial giant’s annual meeting, he or she sent a mail with the subject line, "The fool doth think he is wise."
Inside, the hoaxster called a shareholder who called for Staley’s resignation in the wake of a whistleblower controversy, "as brusque as he is ill-informed," and proceeded to tell Staley in rather floral language that he had his back. He ended with, "Surely the fickleminded [sic] nature of the angry few will help tie up any loose ends. You owe me a large Scotch."
Staley responded with a sort of “talking-to-the-boss” enthusiasm: "You came to my defense today with a courage not seen in many people. How do I thank you? You have a sense of what is right, and you have a sense of theatre. You mix humor with grit. Thank you John. Never underestimate my recognition of your support. And my respect for your guile."
The disgruntled customer sent back a poem where the starting letters of each line spell out “whistleblower”.
Staley was of course none the wiser until someone—presumably MacFarland himself—tipped him off that whoever he was conversing with was not actually the chairman.
In the wake, Barclays has implemented messages for staff alerting them to when they email an external email address, and the recipient’s full email address are always displayed.
The incident, even though it was more of a harmless prank than anything else, brings up the broader issue of the pervasiveness of impersonation attacks like whaling.
“The experience here of Jes Staley with email impersonation is unfortunately very common globally,” said Matthew Gardiner, cybersecurity strategist for security company Mimecast, via email. “However, in this case, Barclays was very lucky as most impersonation attacks are executed by money-focused cyber-criminals. In fact, the FBI recently reported that impersonation attacks via email impact organizations on the order of billions of dollars.”
He added, “Relying on individuals to discern the difference between real and fraudulent emails is not a sufficient defense.”