Spear Phishers Exploit Trust

Spear phishing is a more targeted version of phishing, but the goal is the same. Cyber criminals want your money and your private information. With spear phishing, they may even attempt to use the company or organization you work for to dupe you into wiring money or giving out confidential information. Using information that can be found online, including your social media profiles, attackers can create personalized emails impersonating people you trust. A spear phishing attempt can be very convincing especially when it seems to be from a trusted contact such as your boss.

Examples of Spear Phishing

Fraudsters pose as your bank’s IT services asking you to make a “test” transfer to ensure that your account is working.

An attacker impersonates a high-level executive such as the boss or president of an organization. They use this influence to convince your organization’s accountant to transfer money to a bank account.

A spear phishing email has a link or attachment that, when clicked, installs malware on your machine, giving a cybercriminal access to your organization’s network.

An email from someone such as a network administrator asks you to log into a web page that requests your employee username and password.

Spear Phishing Facts

  • Small businesses (1-250 employees ) and very large businesses (2500+ employees) are common targets for spear phishing
  • Attackers are using stolen email accounts from one corporate victim to spear-phish victims in higher management positions
  • The file extensions .doc and .exe are two popular forms of attachments in spear phishing emails
  • The precision of spear phishing attacks is increasing, meaning less malicious emails have to be sent in order to be successful
  • In 2014, individuals in sales/marketing, finance, and operations positions received the most spear phishing attacks
  • Spear phishing emails usually appear to come from a trusted source

 

In order to decrease your chances of being a target of spear phishing, make sure you are keeping your information private. Take a look at your web presence including social media profiles. Are your accounts set to private? Do you have information on your profile that can be viewed by anyone? Make sure that you are not publicly displaying your birthdate, email addresses, employer information, or userIDs. Also, do not post such things on your page or a friend’s page.

Read our post on how to identify a spear phishing attack:

https://www.rit.edu/security/content/how-spot-spear-phishing-attack

For further information:

See the Symantec Threat Report: 2014-15 https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf

Summary of the 2015 Symantec Threat Report http://www.symantec.com/connect/blogs/2015-internet-security-threat-report-attackers-are-bigger-bolder-and-faster

InfoSec Institute: Spear Phishing http://resources.infosecinstitute.com/spear-phishing-statistics-from-2014-2015/