“Spear-phishing” – What it is, and How it Works
The FBI has published a warning that they have seen an increase in criminals who use spear-phishing to attack and gain access to private computer networks. Access is then used to exploit the data “to create fake identities, steal intellectual property, and compromise financial credentials to steal money from victims’ accounts.”
All businesses and end users need to understand the mechanisms of spam, spear-phishing, malware and social engineering to be able to apply this knowledge and protect your network from within.
Phishing is using electronic communication to gain access to usernames, passwords or credit card information. Spearphishing is gaining the same information by targeting a specific person or group.
Spearphishing is easily started with data found on social media websites such as LinkedIn and Facebook. Users freely post information on the sites, which in turn can be repeated back to the victim to begin the “friendly” line of contact. These malicious emails will try to gain personal information such as a password or other company information. The emails could contain a link that would upload bits of code onto the recipient’s computer. More likely with spearphishing, the “friendly” emails are intended to create a comfortable association over time, so the user will be more likely to share confidential or proprietary information.
A conscientious employee is the best line of defense.
1. Be conscious of what information is shared on social media, including photos, conferences, or other personal information. Information embedded in photos can have where the photo was taken and other details that can be used to gain confidence.
2. Know the sender before you open any links. Reputable online vendors and financial institutions will not send an email notifying you of any actions to personal information. Investigate where the link might go, and why you need to access it. Hover the mouse over the link or right click and go to the link properties.
3. Be skeptical of all emails. Even if they know personal information, or indicate that they recently met you at a meeting or convention. If it was an unsolicited email, be extremely cautious.
4. Ignore odd commands and unlikely urgent actions, even if the email is from a company representative. If it is too good to be true, or very far-fetched and unlikely, then scrutinize the request.
5. Call on unknowns. Use the phone and call the person direct if an email or request is suspicious. Whether an internal company email or from a non-solicited “friendly” contact, a simple phone call can validate the request quickly and harmlessly.
Phishing attacks account for the vast majority of attacks to federal and private sector networks. Experts predict these attacks will increase as more company data is accessed on personal devices, such as smartphones and tablets. The best defense against these attacks is internal awareness of the threat. This could be as simple as utilizing existing filtering software. Most importantly, employees should be made aware of this potential threat.