Video chatting with my Mom this weekend, she mentioned an email from her bank about fraud on her account. Before I could say anything, she told me that the email address “looked funny”, so she deleted the email and called her bank. Seeing the wide grin spreading across my face, she crinkled her nose and told me that she does sometimes pay attention when I go on and on about internet security.
I’m still grinning about it.
Because this is personal to me, this week I’d like to talk discuss the more personal version of a phishing attack.
By its nature, phishing is a spam attack, meaning that targets are nothing more than a list of email addresses, likely purchased off the dark web. In contrast, Spear Phishing is targeted at a specific individual, organization, or business. These attacks are typically an attempt to steal data, initiate a transfer of money, or install malware on a user’s computer.
How does it work?
Much like a standard phishing attack, it is delivered through email, using familiar formatting and logos. The big difference is in how it is targeted. A Spear Phishing attack is typically addressed to a specific person by name or role. This personalization can be the result of information gained from a previous phishing attack, a social engineering attack, or simple research.
And they look real. The email address in the “from” field is typically spoofed to look like it comes from a trusted domain, very often using simple tricks such as swapping the letter “o” for the number “0” (@amaz0n.org) or by using symbols, such as replacing a “w” with a “ω” (@2coωs.net). Between this, the use of company logos, and addressing the email to a specific person, it’s easy to see how this type of attack can be effective, but the hackers take it a step further, manufacturing a sense of urgency to perform an action before the facade falls apart.
Previous Spear Phishing attacks revolved around sending zip files or infected PDF documents that would execute malicious code on the computer when opened, asking the person to open and review the documents immediately. Newer ones seek to get infected code into file sharing sites such as Google Drive, where their influence and reach can be dramatically enhanced, but that isn’t the only type of attack. These emails can also include requests for sensitive information, instructions to purchase gift cards, or links to make purchases at fake websites. By using social media to get information on people, it’s easy for hackers to craft these to impersonate specific people, such as a manager or vendor, in order to distract the target.
It Is Personal
The vast majority of Spear Phishing attacks begin as hacks and successful phishing attacks. One of the many things we continue to mention is that it doesn’t matter who you are or what you do, your information has value on the dark web. Where a stolen email address will typically get you spammed with phishing attacks, your name, address, phone number, job title, and other such biographical data will make you a target for Spear Phishing attacks.
Using this stolen information, hackers will begin to delve into your life. They can use social media sites such as LinkedIn to discover information about you and your contacts and delve further into platforms like Facebook, Instagram, and Tik-Tok to add personal details to the emails. We tend to share a great deal of ourselves online, sometimes too much, and when our stolen information gets us unwanted attention, it makes it easy for hackers to make it personal.
Although businesses are their primary targets, hackers are opportunistic, not only in their attacks but also in selling that information to other hackers who will take advantage of it. If there is a way for them to make money off you and your information, they’re going to take it.
Thwarting These Attacks
While there are some technical things that can be done to prevent these types of attacks, such as installing antivirus and using spam filters, it is the human controls that are most effective. Security awareness and training combined with an established process for reporting suspicious emails is by far the best defense against Spear Phishing.
Identifying these types of attacks typically comes down to the details.
- Look at that domain name, is it correct?
- Think about the request or instructions, do you do this often?
- Check the legitimacy of that urgent message, especially if it’s an odd request
- Trust your instincts, especially if you’re wondering why you recieved that email
Those who have been targeted before or want to take precautions without spending money can tag emails. Tagging is the act of adding a company word to a subject line or including a specific phrase in the top line of the email won’t stop a Spear Phishing attack, but it can be a warning that something about the email is not right. Beyond this, putting into place processes for confirming requests over the phone or by text message, will mitigate the possible effects of this type of attack.
Hackers rely on deception to make these attacks work. By educating ourselves to be aware of the tricks they use, we help to make everyone safe from these criminals.
I’ve always had a love of working with technology, being fortunate enough to have grown up with a grandfather who taught me how to fix things for myself and not be afraid to jump in and get my hands dirty. Over the last three decades, I’ve worked as a technician, trainer, technical writer, and manager in small business, enterprise organizations, and government. In addition, I’m an author, having published multiple works available online and in print. You can find my creative work at https://WritingDistracted.com