Scam Alert: Spear Phishing
06 Mar 2018
We posed a few questions about spear phishing—what it is and how to avoid being a victim—to Bob Kyriakides, founder of Digital Hero, Here’s what he had to say.
Most of us have had some exposure to email scams over the years. Maybe it was the one from Nigerian royalty or perhaps the “friend” stuck overseas looking for an influx of cash. These days, there’s a new and even scarier con going on. It’s called spear phishing and it’s a targeted email attack aimed at both businesses and individuals.
Q. What are criminals hoping to get from you?
A. Unlike a phishing email which is indiscriminate, a spear phishing email is personalized and highly targeted. For example, attackers will research an organization, its staff, their online presence, emails, etc. to learn as much as possible about their target. This allows the attacker to draft as convincing an email as possible to fool the intended victim into opening it and clicking on the links or attachments it contains.
The attackers are typically interested in two things: (1) stealing financial and or personal information for use in identity theft or for their resale value; and (2) tricking you into clicking on links or attachments that will install malicious software in your computer. That software will compromise your computer and potentially spread the infection across your network allowing more data to be extracted from you and/or your organization as a whole.
Q. What are some of the hallmarks of spear phishing?
A. Spear phishing emails will appear to come from someone you know and or trust. They could come from a “friend” or a business such as your dentist’s office asking you to schedule an appointment via a link. The person in the email will use your name and may even know details about you. Often, after an attack, the victim will say that there was something odd about the message, but they just couldn’t put their finger on it. That’s because while spear phishing emails have the right content, they are typically missing the flavour such as the author’s style of writing.
Q. Are there best practices to follow to help avoid a phishing attack?
A. Attackers bank on people rushing through emails. Slow down and really read an email. By slowing down, you give your subconscious those extra few seconds to help you realize something is wrong with the style of an email. If you suspect an email doesn’t “sound” like one the sender would have sent, ask via phone or text (don’t email). To check if it’s a spear phishing attempt from a desktop or laptop computer: if using Windows, hover over the “from” and then the “reply to” addresses until the pop-up tool tip for each one appears. For Mac users, click the down-facing “v” to the right of the “from” and then the “reply to” addresses to reveal their true addresses.
On a mobile device (both Android and IOS), click and hold on the “from” and “reply to” addresses until the pop-up tool tip for each one appears. The pop-up tool tip displays the true email address hidden under the one we can see when we open the email. If either visible email address fails to match up with its revealed counterpart, you have a spear phishing email.
(An important caveat: Although the pop-up tool-tip technique works the majority of times, this method isn’t foolproof. That’s because spammers have been using email “ghosting” or “spoofing” for years to make fake emails look like they come from legitimate addresses—even yours. If you have any doubt about the legitimacy of an email, always err on the side of caution and pick up the phone and check with the sender.) Do not open any links or attachments contained in the email.
Tell your IT department, your colleagues (so they can be vigilant, too), and contact the authorities if it’s an attempt to steal financial data and finally, if advised, delete the email.
If you do accidentally open any links or attachments, immediately turn your device off and disconnect it from the Internet. That device is compromised and by shutting it down you may prevent a network-wide infection. Your anti-virus will not help you because the malware used in spear phishing attacks is often designed with countermeasures to most if not all anti-virus software.
Spear phishing emails are drafted to penetrate firewalls (masked as legit emails from legit addresses), bypass anti-virus software and make their way to their intended targets. That places the onus to prevent spear phishing attacks squarely on each user. Each of us becomes the last line of defence.
Education & Awareness
In addition to ensuring you have strong IT security and measures in place, it’s critical for team members to understand the important role they each play. Make cyber security a priority and be vigilant about ongoing team education and awareness. For example, train employees to use caution when on the Internet, and how to recognize and avoid phishing attempts.
The founder of digitalhero.ca, Bob Kyriakides’ expertise includes disaster recovery, data privacy and security, and heroic data rescue. This article originally appeared in the Winter 2017 issue of Your Business magazine.