We covered ‘what is phishing?‘ in my last post, so now we’re on to phishing’s slightly more serious big brother – ‘spear phishing’:
Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. – Search Security: Tech Target
The difference is subtle, but while phishing messages are more of a personal, individual attack and usually look like they have authentically come from a known service provider, spear phishing messages will appear to come from a trusted source or organization. In many cases it appears to be someone in the same company as the recipient of the email. The hacker’s goal is to use trust to either instruct the recipient to perform a task, like a funds transfer, or pass on confidential information such as login details, which will then give the hacker access to company data.
Why do people fall for spear phishing attacks? In many cases, an employee is simply responding to a reasonable request from an executive at their company. So long as a spear phishing attack covers these 3 factors, it will probably succeed:
- The email must appear to come from a known and trusted person
- The layout and content must accurately reflect the sender
- The instructions are logical and believable for the recipient to act upon
Examples of spear phishing attacks: Business Email Compromise (BEC) – what I have described above – is the type of spear phishing attack that saw the biggest increase in 2015 – 270% according to IC3!
Here are 3 ways that the CSO Online Report “2016 phishing trends reveal new tricks, targets report” says companies make it easy for scammers to pose as executives:
- Posting full names, titles and email addresses for executive team members on company websites
- Posting personal names, email addresses, and direct numbers in accounting/billing contact information
- Using consistent schemes for email addressing
How to avoid spear phishing attacks: There are many ways to avoid becoming a victim of a spear phishing attack, but much of it involves regularly educating your employees around the types of attacks they could encounter. The FBI recommends these precautions when it comes to BEC scams:
- Verify changes in vendor payment location and confirm requests for transfer of funds.
- Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.
I would also add that you should put a security system in place to monitor end user logins, because then you would instantly know if your CEO or CFO’s email account had been compromised because they would be flagged as logging in from an IP address, country, or device that they would not usually use.