Spear phishing: What do you need to know?
If you have heard someone talking about spear phishing, images of pearly seas and abundant schools of fish might come to mind. However, spear phishing is also a form of social engineering that can lead to your personal information falling into the hands of wrong people.
Spear phishing is no laughing matter. Its strength lies in its ability to affect anyone - even those within large organisations.
According to a Symantec report, five out of six companies with over 2,500 staff were specifically targeted by cybercriminals using spear phishing tactics in 2014.(1)
There have also been a number of high-profile cases. The White House was targeted by a spear phishing attack that led to sensitive information being compromised, an April 2015 CNN article reported. Interestingly, it all started when an official responded to an email launched using the State Department's account that turned out to be fraudulent.(2)
With even the most protected systems at risk, it is important to know what spear phishing is so you can stay clear and protect your interests.
What is spear phishing?
Spear phishing is a form of targeted cyberattack that involves the use of an email crafted to look like it has come from someone within an official organisation or who is familiar to you.
In comparison to phishing - where hackers will send a number of random emails supposedly from a random or made-up bank - spear phishing involves targeted attempts to gain your personal information.
How does it work?
Spear phishing involves sending an email with fraudulent information and an array of associated links to a specific person in the hope they will open them.
The key characteristic of spear phishing is precision. Cybercriminals using this method of attack do not send out several thousand emails to random users in the hope a few victims will take the bait. Instead, they select certain groups of people that are connected in some way, for instance, they might work at the same company, visit the same websites or are serviced by the same bank.
Being able to replicate official emails or mimic the style of a specific person involves effort. It requires cyberattackers to either hack an organisation's network and acquire email templates and information about a colleague, or scouring other sites such as blogs and social networking platforms for information they can use.
How can spear phishing impact me?
The end goal of spear phishing is to attain your personal information, such as your PINs, passwords and account numbers. To accomplish this, hackers will send an official looking email with an urgent plea for your information with an authentically sounding explanation.
Once you have clicked on the link, there are two main ways cybercriminals can gain access to your information.
They can attach malware to your browser and begin to siphon your information as you use it. For instance, if you log into your bank's online service using a browser with malware attached, the fraudsters can attain your log-in details and use it to access your bank accounts.
Additionally, the hacker's emails will contain links to fraudulent websites that if clicked on will ask you to enter specific information.
If a spear phishing attack is successful, your data could end up in the hands of criminals who may use it to take your money, acquire a credit card in your name or use your identity for larger criminal activities.
What can I do to avoid spear phishing?
There are several ways you can combat spear phishing attacks and protect your personal information from fraudulent use.
The best approach to avoiding spear phishing is through an understanding of the two primary platforms that spear phisherman use.
The most popular delivery platform is email. As such, when opening an email it is important to know the hallmarks of a phishing scam:
- If it asks for your personal information, play it safe and assume it is a phishing attack.
- If you believe the email may be a scam, phone the organisation to verify if it is an official email.
- If you do click on a link, make sure to never enter your information into the website that appears.
- If you recognise the email address, do not take this as proof it is from an official or authentic source.
- If you see a suspect email has an attachment, make sure you do not open or download it as it could be an infectious computer virus.
Social media
Social media phishing attacks are becoming more common as the number of users increases. Social networking sites have an added advantage for scammers as people tend to trust each other's posts and messages more than they would a random email. One way to address this is by utilising the security settings most social networking sites have.
Furthermore, many social networking sights have instant messenger capabilities. This compounds the problem as it is harder to identify a phishing attack over instant messenger services than it would in an email. To be safe, only open links that you can corroborate with the sender.
If you would like to know more about the spear phishing attacks or other techniques cybercriminals use to get access to you information, talk to Identity Watch today.
1 Internet Security Threat Report 2015. Symantec. Accessed: 12/09/2015
2 How the U.S. thinks Russians hacked the White House. CNN. Accessed: 12/09/2015