Be very aware of clever dodgy emails
What exactly is spear phishing?
Spear phishing is defined as "the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information."
It is a form of targeted online attack with the aim of stealing your sensitive information including account passwords or financial details.
The attacker uses social engineering: they manipulate you by imitating someone or something you know, from a friend to a business whose services you use.
They may create a whole replica of a website or simply use similar content but the goal is to get you to click a malicious link and download a file or submit your login details.
In recent years these forms of online attacks have grown in frequency and in success: 76% of businesses reported being a victim of a phishing attack in the last year, and spear phishing in particular is now the most common method of gaining access to your passwords.
How is spear phishing different to normal phishing?
While both phishing and spear phishing are methods of online attack with the goal of collecting personal or confidential information, spear phishing is a more specific attack than phishing in general.
Phishing is broader: rather than spending the time and effort required for a more personalised attack, the attacker hopes to get lucky by emailing multiple people at once.
Phishing and spear phishing utilise the same techniques, but due to the difference in detail a spear phishing attack can be a lot harder to identify than a normal phishing attempt.
As a result of their success rate compared to normal phishing attempts, spear phishing is unfortunately becoming more common.
An example of a spear phishing email from BITS.
How does spear phishing work?
As mentioned above, spear phishing has become increasingly difficult to spot due to the sophistication of the attacker and the sheer amount of personal information already accessible online.
But it's not just the amount of personal information they use to try and manipulate you: these emails usually require you to act or respond immediately to prevent something further from happening such as an account cancellation or a large fine.
The attacker relies on this false urgency to make you panic and not take the time to think things through, knowing this is when you're most likely to make a mistake.
Once you've downloaded their attachment or entered your password into the form they've created, they'll have their real fun: using this information to gain access to even more of your accounts.
Sometimes they want your banking details, sometimes they'll use your personal information to create accounts and identities of their own.
Useful tips to avoid a spear phishing attack
- Be careful sharing personal information online. How much information is already available for potential attackers to use? The world wide web can be a dangerous place and it's important to differentiate between the type and amount of information your friends and family can see vs. complete strangers. Double check your privacy settings and make sure you're comfortable with what you share online.
- Use smarter passwords. It is important to have unique passwords for each of your accounts. This means even if an attacker does manage to obtain one of your passwords, they can't use it to access more than one account. Look into using a password manager tool such as LastPass which will generate and store smart and secure passwords for you.
- Update your software. Even though it's sometimes wise to wait a while before installing the latest software updates so the developers have a chance to resolve any major bugs or issues, it's important not to wait too long before doing so. Most software updates also include security updates to keep your system secure. Attackers can and will take advantage of outdated and insecure software and exploit it where possible.
- Be careful clicking links in emails. While we're all used the convenience of quickly clicking a link in an email, sometimes the safer option is to do something the long way: visit the website and find the page you're looking for manually. You can usually tell if a link in an email is malicious when you hover over it: if the URL of the link doesn't match the text or the intended location, then it's probably not safe and you definitely shouldn't click it.
- Use logic and common sense. If an email doesn't look or feel right, then go with your gut: chances are there's something not right with it. Always double check the address of the email sender and scan the content for noticeable spelling or grammar mistakes. Remember: a real business will never directly ask you for your personal details in a random email. When in doubt, it's safest to contact the business directly (and don't use the supposed business contact details in the email).
- Look into a data protection program. It doesn't matter how cautious you are if your coworker clicks every dodgy link they are emailed. Your business should have a system or program in place to ensure everything from secure communication to the protection of sensitive data.
- BITSGroup - Our IT alliance partner