As criminal spear phishing becomes more targeted, users need to be even more aware to avoid being duped
By Joan Goodchild, Senior Editor, CSO Online
The criminal art of spear phishing, email spoofing that aims to get the recipient to click on a bad link or attachment, has been around for years. But that doesn’t mean it’s become any less effective. According to figures from the U.S. Computer Emergency Readiness Team (US-CERT), which compiles information from federal, state and local governments, commercial enterprises, U.S. citizens and foreign CERT teams, phishing attacks accounted for 53 percent of all security incidents in 2010.
What has changed recently is that more phishing attempts are direct, targeted efforts aimed at specific individuals within an organization. In fact, after the recent breach of an email database maintained by marketing firm Epsilon, security experts warned that banking customers should worry about a wave of spear phishing attacks utilizing the information gained from the break in.
The days when phishers would blast out hundreds of generic messages and hope for a few hits are ending. Criminals now realize a message with specialized social engineering content that is directed to one person, or a small group of people, can be much more successful. After all, it typically only takes one machine to compromise an entire network.
“We now see more of the scenarios involving just two or three emails targeting the executive team, which spoofs the legal team and contains a malware attachment that talks about pending litigation,” said Jim Hansen of the security awareness consultancy PhishMe.
PhishMe has designed spear-phishing-awareness training that focuses on changing user behavior. Hansen gave us five tips his team offers clients to help them avoid getting hooked by a phony message.
Be skeptical of all emails
Ask yourself: Who is this email from? If the sender is someone you do not recognize, chances are this email is either some form of unsolicited spam or it is a phishing email, said Hansen. Search for the domain through Google or some search engine to see where the domain comes from, he advised.
“Slow down, take a breath and think about what you’re doing,” said Hansen. “We are all busy people, but if you take a few minutes, it’s not going to disrupt your day.”
Be wary of attachments
If you do open the email and you are prompted to download images or attachments, don’t, said Hansen. These “images” and attachments could contain malicious content that you don’t want on your computer. At best, said Hansen, you are slammed with a ton of spam and advertisements. At worst your computer could be an open book to an attacker trying to get your information.
If the message comes from a sender you don’t recognize, or even if it is a sender that you do recognize, get confirmation before downloading any attachment.
Ignore commands and requests for action
If the email is urging you to do something, stop and think before you fall into their trap, said Hansen. If it is too good to be true or seems too farfetched, it probably is.
“There are two motivations a criminal will try to appeal to: reward or authority,” said Hansen.
In an authority-based scam, the email may say you need to act upon something and the message comes from someone in a position of authority, such as an IT team member telling you your computer is infected, or an HR person asking you to fill out a company survey. These kinds of messages may also try to fool you into thinking you have a package that was “undeliverable” or that your bank account has been breached.
The reward scenarios usually involve some kind of prize for entering a raffle or filling out a survey. Ignore them all, said Hansen.
Check out the link
Where does that link actually go? Almost all phishing emails have a link in them that they want you to click, said Hansen. The link says it is going to your Facebook page or to your bank website, but where is it really going?
The easiest way to find out is to hover your mouse over the link and look at the bottom left corner of your browser window. There you should be able to see the exact URL that you will be directed to if you click on the link. If this link shows as an IP address (example :192.168.1.1) then most likely this is not a place that you want to go.
Use the phone
Remember the phone? It’s how most of us once communicated back in the dark ages. It can still come in handy today, said Hansen. If you’re unsure, and the email message seems urgent, try to contact the sender by telephone.
“If you know the person, call them,” said Hansen (or you could text them!).
Hansen also advises that if you don’t know the sender, don’t download the attachment. Look up the sender’s phone number in your company directory or call the organization they are claiming to be from directly using a well-publicized phone number to confirm that the email was legitimately sent from that person or company.