Stop Spear Phishing from Ruining Your Reputation
Spear Phishing vs. Phishing
Spear Phishing is a type of phishing email sent to a specific individual with the intent of acquiring sensitive information like passwords, account numbers, PINS, and access codes. It’s now the most successful method of acquiring confidential information, and accounts for 91% of attacks. It differs from regular phishing because typical phishing attacks are spoofed emails sent to large numbers of people with hopes someone will click on an infected link and provide their personal information or download malware.
How it works
Spear Phishing emails have improved over the past few years and now are extremely difficult to detect. Once the bad guys have chosen a target, they monitor that person’s Facebook, LinkedIn, Twitter and any other social media sites to gather bits and pieces of information so they can do one thing—trick you into clicking an infected link or attachment within a sophisticated, compelling email. These emails can appear to be from the user’s bank, credit card company, Internet shopping sites, and even good friends. The possibilities are likely endless.
The most frightening thing about spear phishing is it’s usually just the tip of the iceberg. A successful theft of credentials or personal information is often just the beginning of an attack, as the criminal’s end goal is to gain access to the company’s network. If neglected, a company could succumb to a more severe attack, like the data breaches at Home Depot, Target, and Equifax. These companies lost millions of dollars, stolen customer records, their credibility, and their reputation.
Are you a target?
While anyone can be the target of spear phishing, cyber criminals are increasingly attacking those in key positions at companies and organizations, such as business owners and C-level personnel. This is for a couple of reasons. First, those key personnel are more likely to have their full customer lists along with contact information, their employee data with social security numbers, vendor lists, the company’s banking information, etc. on their workstation.
Second, some business owners and executives are often in a hurry and don’t think before they click, some aren’t as email savvy because their age, and some just think it could never happen to them. Don’t forget, however, anyone in an organization can be the victim of spear phishing; the bad guys have just learned to attack higher value targets.
Small and mid-sized businesses are also becoming high value targets as attackers see them as a backdoor gateway into larger corporations. They also might have small IT departments with less security infrastructure in place, making the attack easier to execute.
Don’t be a victim
Because email is the most common entry point it is critical to secure this area from spear phishing attacks. ANYONE in your company could be the unlucky, uninformed one who clicks on an attachment or link that causes financial and personal disaster to your firm. Because of this, it’s imperative that ALL employees be trained to spot spear phishing emails. They need to carefully spot misspellings, strange vocabulary, websites with mistakes in the address, supposedly secure sites that are missing the “s” in https//, and other indicators an email could be a phishing attack. If they receive an email from their bank or a credit card company asking for passwords or account numbers, they need to know to delete their email and call the bank or credit card company because neither will ever ask for these via email.
Real world examples
The examples below are real. We’ll discuss the reasons why they are spear phishing emails after each.
This spear phishing email sure looks official, unless the target reads the From line. Note the spelling: MîcroSoft. At a quick glance, one could jump right past it and move on the body of the email. But, also in that same From line is the email address mailto:firstname.lastname@example.org. Who is this person? Who is this company? Why did this person send an email that would only come from Microsoft?
The recipient of this email (name removed for privacy) didn’t fall for the deception and never clicked the large, blue text to review documents. He or she did click both the links under the Microsoft logo and discovered they point to nothing more than an image page on a strange domain.
All the cyber criminal needed to know about this target is he/she uses Microsoft OneDrive and the person’s email address. This obviously took some time to discover, and who knows what else this person knows about the recipient?
The next example is a bit more obviously a spear phishing email, as we’ll discuss below it, but the bad guys who sent this knew a lot about the target and some of it is shockingly personal.
This is a great example of a quite sophisticated spear phishing email, but if one looks a bit closer it’s not hard to identify it as malicious.
Look at the From line at the top. Who is Dave, and why would his company be sending this person an email about their American Express account? Incidentally, Dave is the CEO of a real company in Texas, and all his contact information was correct, meaning this cyber criminal has already broken into Dave’s company’s network. Also, notice the spelling: American Exprėss. There is unnecessary spacing between some of the words in the body of the email, too.
This sender also has copied their logo and placed a photo of an AMEX Gold Card in the email to make the reader think a photo of their card is in the email along with the wording “Your Account information is included above to help you recognize this is a customer service e-mail from American Express.” And, the next sentence has a typographical error.
When one dissects this email it SCREAMS spear phishing, but here’s the scariest part: The individual who received this email (name removed for privacy) is a CEO of a manufacturing company and was on a business trip using his or her AMEX Gold card when this email was received! A busy CEO, on the road, and likely viewing that email on a cell phone—perfect target, perfect timing. The criminal who sent this had obviously been studying this person for quite some time and is very dangerous.
Office 365 Advanced Threat Protection
Unfortunately, training everyone in your office on how to spot spear phishing emails is virtually impossible. We’re all human, and sooner or later someone will make a mistake and click on a link or attachment and unleash a cyber criminal’s fury on your office. This means businesses must have software with built-in methods of stopping these emails from reaching their recipients or stopping the recipient from opening the email in the first place.
Microsoft offers Advanced Threat Protection (ATP) for customers with most Office 365 plans for $2/per user. New spear phishing and malware campaigns are being launched every day, with ATP you can help protect your email against them. With Office 365 ATP, you can protect your mailboxes against new, sophisticated attacks in real-time. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. A zero-day vulnerability refers to a hole in software that is unknown to the business. This hole can be easily exploited by hackers before anyone becomes aware of the threat.
Advanced Threat Protection also includes Safe Attachments. This software sends all suspicious content through real-time behavioral malware analysis. Unsafe attachments are sandboxed in a chamber before they’re sent to the recipient. This provides a malware free inbox for your end users.
Also included in ATP is Safe Links. Exchange Online Protection provides protection against malicious links by scanning content. Safe Links takes this one step further to protect a company’s environment when a user clicks on a link. While the link is scanned the URLs are rewritten through Office 365. They are examined in real-time when the user clicks them. If a link is found to be unsafe, the user is warned not to visit the site or informed the site has been blocked. This comes with reporting, too, so administrators can track which users clicked a link and when they clicked it.
The security landscape has changed, and will continue to change, as cyber criminals constantly look for a new vulnerability to exploit and create new ways to attack the innocent. Michael McCaul, Chairman U.S. Homeland Security Committee recently stated, “I’m going to be honest. We’re in the fight of our digital lives, and we are not winning!”
But, your company doesn’t need to be one of the losers. For more, call us and schedule your firm for our Overwatch Cybersecurity Exam to prevent reputation damage, data breach, and fines or penalties caused by any threat; including spear phishing.