Most internet users are aware of the very common phishing attacks, blanket emails sent out en masse with links to infected sites that try to gather your personal information, and have taken the necessary steps to protect themselves from this and other cyber threats. But as the internet is constantly evolving, so too is the nature of the threat, and a new, more sinister form of phishing, dubbed spear phishing, has emerged.
Where phishing takes the form of thousands of generic emails sent out in the hope that someone will bite, spear phishing is highly targeted at individual organisations, using information gathered from the web to make these emails appear genuine. They seem to come from a legitimate email address within an organisation and contain enough information about the company to make them seem real.
For example, an email is sent out to the clients of XYZ manufacturers, seeming to originate within the company, informing the recipients of a change in banking details. The mail appears genuine: it contains the XYZ company letterhead and registration information and is addressed to someone within the client’s organisation. Said clients may take it on face value that the change in banking information is true. They will then make payments into this ‘new’ bank account, which in reality is a dormant account held by the perpetrator, leaving XYZ short of cash and fattening the pockets of cyber criminals. This is a common method of spear phishing and often yields direct results, but other forms include infected links and attachments, similar to typical phishing scams.
Spear phishing attackers will conduct internet reconnaissance, gathering publicly available information from websites, news announcements, blogs, social media, chat rooms etcetera to build up their knowledge of the company. This information is used to create a ghost email account that appears to originate from within the company, and to construct an email that is likely to trick the recipient into either clicking on a link, opening an attachment, or in the case of our above example, paying funds into a false bank account. If the recipient clicks the link or opens the attachment malicious code is written onto their machine to steal information like passwords and documents, which can then be used to access internet banking accounts or other sensitive data.
Where phishing is a faceless, nameless phenomenon, spear phishing is far more personal and as a result is more difficult to detect, and cyber crime syndicates are now using this method more and more to steal money and sensitive information from organisations. And while many cyber threats can be countered by the installation of security software, spear phishing cannot, which means that in order to protect themselves, people need to go back to basics.
The best way to protect oneself from spear phishing is to become more educated in the nature of the threat and then exercise common sense and communication to counter it. If people understand the threat they will be more suspicious when they receive this type of email and will not be as easily misled.
Never open an attachment or link from a source the user is not 100% sure can be trusted. This can be difficult as spear phishing appears to originate from genuine sources, but caution should be exercised with all links and attachments. Security software can help here as it can help to detect malicious links and attachments, but this is not a fool proof method and education, awareness and knowledge are still the best weapons.
As in the case of XYZ manufacturers, if an email appears with information such as a change of bank details, the recipient should verify this with the organisation they received it from to make sure the information is genuine.
If an email appears to be sent from a bank itself, never take any action. Banks will never send links via email and will never request that personal information be sent via this unsecured channel.
Spear phishing is highly sophisticated, difficult to detect, and a rising threat to people and organisations. It requires common sense to counter as well as personal communication between people. At the end of the day the best advice is: when in doubt, check it out. Know the facts, verify the validity of the email, and don’t get caught.
By Fred Mitchell, Symantec Division manager at Drive Control Corporation