Clark Computer Services

Spear Phishing: A Personal Attack

Chuck's Cyber Wall

Chucks Cyber Wall - Spear Phishing A Personal Attack

The most significant cyber threats to small businesses and home users are E-mail and Spear-Phishing. And the most effective defense against them is Awareness. It is for these reasons, that we here at CLARK continue to discuss them, providing information on new phishing threats, and explaining how to spot them. Beyond this, as a cybersecurity expert, I feel it’s important to ensure that we are all aware of the threats, but I am often more motivated as a son.

Video chatting with my Mom this weekend, she mentioned an email from her bank about fraud on her account. Before I could say anything, she told me that the email address “looked funny”, so she deleted the email and called her bank. Seeing the wide grin spreading across my face, she crinkled her nose and told me that she does sometimes pay attention when I go on and on about internet security.

I’m still grinning about it.

 

Because this is personal to me, this week I’d like to talk discuss the more personal version of a phishing attack.

SPEAR-PHISHING

By its nature, phishing is a spam attack, meaning that targets are nothing more than a list of email addresses, likely purchased off the dark web. In contrast, Spear-Phishing is targeted at a specific individual, organization, or business. These attacks are typically an attempt to steal data, initiate a transfer of money, or install malware on a user’s computer.

How does it work?

Much like a standard phishing attack, it is delivered through email, using familiar formatting and logos. The big difference is in how it is targeted. A Spear-Phishing attack is typically addressed to a specific person by name or role. This personalization can be the result of information gained from a previous phishing attack, a social engineering attack, or simple research.

And they look real. The email address in the “from” field is typically spoofed to look like it comes from a trusted domain, very often using simple tricks such as swapping the letter “o” for the number “0” (@amaz0n.org) or by using symbols, such as replacing a “w” with a “ω” (@2coωs.net). Between this, the use of company logos, and addressing the email to a specific person, it’s easy to see how this type of attack can be effective, but the cybercriminals take it a step further, manufacturing a sense of urgency to perform an action before the facade falls apart.

Chucks Cyber Wall - Spear Phishing A Personal Attack

Previous Spear-Phishing attacks revolved around sending zip files or infected PDF documents that would execute malicious code on the computer when opened, asking the person to open and review the documents immediately. Newer ones seek to get infected code into file sharing sites such as Google Drive, where their influence and reach can be dramatically enhanced, but that isn’t the only type of attack. These emails can also include requests for sensitive informationinstructions to purchase gift cards, or links to make purchases at fake websites. By using social media to get information on people, it’s easy for cybercriminals to craft these to impersonate specific people, such as a manager or vendor, in order to distract the target.

SPEAR-PHISHING

The vast majority of Spear-Phishing attacks begin as hacks and successful phishing attacks. One of the many things we continue to mention is that it doesn’t matter who you are or what you do, your information has value on the dark web. Where a stolen email address will typically get you spammed with phishing attacks, your name, address, phone number, job title, and other such biographical data will make you a target for Spear-Phishing attacks.

Using this stolen information, cybercriminals will begin to delve into your life. They can use social media sites such as LinkedIn to discover information about you and your contacts and delve further into platforms like Facebook, Instagram, and Tik-Tok to add personal details to the emails. We tend to share a great deal of ourselves online, sometimes too much, and when our stolen information gets us unwanted attention, it makes it easy for them to make it personal.

Thwarting attacks

While there are some technical things that can be done to prevent these types of attacks, such as installing antivirus and using spam filters, it is the human controls that are most effective. Security awareness and training combined with an established process for reporting suspicious emails is by far the best defense against Spear Phishing.

Identifying these types of attacks typically comes down to the details.

  • Look at that domain name, is it correct?
  • Think about the request or instructions, do you do this often?
  • Check the legitimacy of that urgent message, especially if it’s an odd request
  • Trust your instincts, especially if you’re wondering why you received that email

Those who have been targeted before or want to take precautions without spending money can tag emails. Tagging is the act of adding a company word to a subject line or including a specific phrase in the top line of the email. While it won’t stop a Spear-Phishing attack, it can be a warning that something about the email is not right. Beyond this, putting into place processes for confirming requests over the phone or by text message, will mitigate the possible effects of this type of attack.

Chucks Cyber Wall - Spear Phishing A Personal Attack

Cybercriminals rely on deception to make these attacks work. By educating ourselves to be aware of the tricks they use, we help to make everyone safe from these criminals.

4 1 vote
Rate This Post
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Clark Computer Services IT Support Services Leadership Page Darren Clark in his office

Darren Clark

President and Owner

I left big business to start Clark Computer Services in 2003; not because I had a grand vision, but because I had three young children who needed their Dad around. Knowing I had to replace my salary, I went door-to-door visiting small businesses to introduce myself and ask if they needed IT support. I heard story after story from business owners and office managers about IT companies not returning calls and emails, grumpy technicians showing up late or not at all, and systems being down for days, weeks, and in some cases…months. I realized quickly that there was a clear and pressing need for reliable, honest, and professional IT support completed pleasantly and on time.

This experience created the foundation for Clark Computer Services and helped me articulate the vision that has guided the company for more than 15 years:

We will make customer service our highest priority and ensure that all customers receive friendly, reliable, and professional service on every job, at every sales call, and on everything we do.

If you need IT support

Please fill out the form below and provide a detailed question or comment. We will reply in a timely manner.