First, if you don’t know what Phishing is:
A Phishing scheme typically involves a victim being tricked into giving up information that can be later used in some kind of scam. The information is often sought through an email, a phone call, or a text message. Phishing is a very common element in many types of internet scams that can target thousands of people at once in the hopes that one or two will be fooled.
Spear Phishing is a new attack
It is a more targeted type of phishing. Spear phishing involves bespoke emails being sent to well-researched victims. The aim is to either infect devices with malware or convince victims to hand over information or money. It is hard to spot without close inspection and difficult to stop with technical controls alone.
It’s more dangerous because it is easier to trust, and harder to recognize.
Along with extremely focused targeting, spear-phishing campaigns contain a large reconnaissance element. Threat actors might start with emails harvested from a data breach, but supplement that with a host of information easily found online.
Social media makes it easy to research.
Social media such as LinkedIn and Twitter provide insight into roles, responsibilities and professional relationships within an organization, and thus help inform who is best to both target and impersonate. Company websites might provide insight into processes, suppliers and technology, while the likes of Facebook and Instagram might provide personal insight into potential targets that could be leveraged.
How is all this information used against us?
A scammer can pretend to be the victim and contact the HR department and convince them to change existing payroll direct deposit accounts to those set up by the criminals. A more common example is attackers pretending to be suppliers and requesting a change in invoicing details.
Here is a Spear Phishing Example
For the past six months or so, there has been an email scam from “bosses” requesting that you purchase gift cards on their behalf. For example,
It’s not odd for employees to get real emails like this from the boss. As an employee, you want to help, so you may not think to recheck the request.
How to safeguard your workforce and organization from such attacks?
Organizations can put both technical and human controls into place to mitigate the threat of spear phishing. Along with standard controls such as spam filters, malware detection and antivirus, companies should consider phishing simulation tests, security awareness training programs, and having an established process for users to report suspicious emails to the IT security team.
One of the simple ways that businesses can counter things like business email compromise is just by simply tagging emails when they come in at the gateway and put ‘external’ in the subject line. That is not going to stop an attack, but it is potentially going to allow end users to think something might not be right.
Britec is here to help.
If you need some help either dealing with an existing threat, or you want to prevent new threats – consider contacting the team at Britec – we can help.