TechAdvisory.org

Technology Advice for Small Businesses

What is spear phishing?

Security_Feb17_COne of the most common threats to business and individual systems is phishing. This form of hacking is well known and many users have educated themselves on the more traditional methods used by hackers. This has forced hackers to come up with different phishing techniques, and one of the methods that is causing problems is spear phishing.

What is spear phishing?

Spear phishing is a specialized type of phishing that instead of targeting a mass number of users, as normal phishing attempts, targets specific individuals or groups of individuals with a commonality e.g., an office.

Generally a hacker will first pick a target and then try to learn more about the related people. This could include visiting a website to see what a company does, who they work with, and even the staff. Or they could try hacking a server in order to get information.

Once they have some sort of information, usually a name, position, address, and even information on subscriptions, the hacker will develop an email that looks similar to one that another organization might send e.g., a bank. Some hackers have been known to create fake email accounts and pose as a victim’s friend, sending emails from a fake account.

These emails are often similar to official correspondence and will always use personal information such as addressing the email to you directly instead of the usual ‘dear sir or madam’. The majority of these emails will request some sort of information or talk about an urgent problem.

Somewhere in the email will be a link to the sender’s website which will look almost exactly like the real thing. The site will usually ask you to input personal information e.g., an account number, name, address, or even passwords. If you went ahead and followed this request then this information would be captured by the hacker.

What happens if you are speared?

From previous attack cases and reports, the majority of spear phishing attacks are finance related, in that the hacker wants to gain access to a bank account or credit card. Other cases include hackers posing as help desk agents looking to gain access to business systems.

Should someone fall for this tactic, they will often see personal information captured and accounts drained or even their whole identity stolen. Some spear phishing attacks aren’t after your identity or money, instead clicking on the link in the email will install malicious software onto a user’s system.

We are actually seeing spear phishing being used increasingly by hackers as a method to gain access to business systems. In other words, spear phishing has become a great way for people to steal trade secrets or sensitive business data.

How do I avoid phishing?

Like most other types of phishing related emails, spear phishing attempts can be easy to block. Here are five tips on how you can avoid falling victim to them.

  • Know the basic rule of business communication – There are many basic rules of communication, but the most important one you should be aware of is that the majority of large organizations, like banks, social media platforms, etc., will not send you emails requesting personal information. If you receive an email from say PayPal asking you to click a link to verify your personal information and password, it’s fake and you should delete it.
  • Look carefully at all emails – Many spear phishing emails originate in countries where English is not the main language. There will likely be a spelling mistake or odd wording in the emails, or even the sender’s email address. You should look out for this, and if you spot errors then delete the email immediately.
  • Verify before you click – Some emails do have links in them, you can’t avoid this. That being said, it is never a good idea to click on these without being sure. If you are unsure, phone the sender and ask. Should the email have a phone number, don’t call it. Instead look for a number on a website or previous physical correspondence.
  • Never give personal information out over email – To many this is just plain common sense – you wouldn’t give your personal information out to anyone on the street, so why give it out to anyone online? If the sender requires personal information try calling them or even going into their business to provide it.
  • Share only essential information – When signing up for new accounts online, there are fields that are required and others that are optional. Only share required information. This limits how much a hacker can get access to, and could actually tip you off. e.g., they send you an email addressed to Betty D, when your last name is Doe.
  • Keep your eyes out for the latest scams – Pay attention to security websites like those run by the major antivirus providers, or contact us. These sites all have blogs where they post the latest in security threats and more, and keeping up-to-date can go a long way in helping you to spot threats.

If you are looking to learn more about spear phishing or any other type of malware and security threat, get in touch.