Spam and you: a story about a spear, a fish and some spam (no, not the meat!)

Learn about spear phishing attacks as well as how to identify and avoid falling victim to spear phishing scams.

Spear phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.

Phishing is a broader term for any attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. Attackers often disguise themselves as a trustworthy entity and make contact with their target via email, social media, phone calls (often called “vishing” for voice phishing), and even text messages (often called “smishing” for SMS phishing).

Spear phishing attacks target a specific victim, and messages are modified to specifically address that victim, purportedly coming from an entity that they are familiar with and containing personal information. Spear phishing requires more thought and time to achieve than phishing. Spear phishing attackers try to obtain as much personal information about their victims as possible to make the emails that they send look legitimate and to increase their chance of fooling recipients. Because of the personal level of these emails, it is more difficult to identify spear phishing attacks than to identify phishing attacks conducted at a wide scale. This is why spear phishing attacks are becoming more prevalent.

Along with extremely focussed targeting, spear phishing campaigns contain a large reconnaissance element. Threat actors might start with emails harvested from a data breach, but supplement that with a host of information easily found online. They might view individual profiles while scanning a social networking site. From a profile, they will be able to find a person’s email address, friends list, geographic location, and any posts about new gadgets that were recently purchased. With all of this information, the attacker would be able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target.

To increase success rates, these messages often contain urgent explanations on why they need sensitive information. Victims are asked to open a malicious attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes. The urgency will often be coupled with an urge to break company policy or norms, fast-tracking payments without the usual checks and procedures. They may also use emotive language to either invoke sympathy or fear; the impersonated CEO might say you’re letting them down if you do not make the urgent payment, for example.

Once criminals have gathered enough sensitive information, they can access bank accounts or even create a new identity using their victim’s information. Spear phishing can also trick people into downloading malware or malicious codes after people click on links or open attachments provided in messages.

The effectiveness of spear phishing comes down to a combination of both technical and psychological reasons. Spear phishing emails are quite hard to detect because they are so targeted, appearing as normal business emails with normal business communication, so it’s really difficult for spam detection systems to realize it’s not genuine email.

Spear phishers exploit that because you don’t want your spam protection blocking genuine emails as end users get frustrated and business processes start to fall down. They contain a heavy element of social engineering that plays on how people think and act. It’s this ingrained capacity for trust which phishers like to abuse. People are significantly more likely to comply with requests from authority and trusted figures. A high degree of personalization dramatically increases the trustworthiness of emails. The more personal information is present in an email, the more likely a victim is to believe that the email is authentic.

1. Spam training.
Many people unknowingly open themselves up to receiving unsolicited junk emails by their own actions. Training on this subject will provide education ready to distribute to your end users on how to avoid spam.

2. Watch what personal information you post on the internet.
Look at your online profiles. How much personal information is available for potential attackers to view? If there is anything that you do not want a potential scammer to see, do not post it – or at the very minimum make sure that you’ve configured privacy settings to limit what others can see.

3. Have smart passwords.
Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords, they effectively have access to all of your accounts. Every password that you have should be different from the rest – passwords with random phrases, numbers, and letters are the most secure.

4. Be vigilant.
Carefully inspect email addresses and links that are sent to you. They may look legitimate but spear phishers rely on you not paying close attention to succeed. The shortest path into a network is through the weakness expressed in human behavior, in a person’s tendency to trust, to carry out instruction, or simply to be curious.

5. Frequently update your software.
If your software provider notifies you that there is a new update, do it right away. The majority of software systems include security software updates that should help to protect you from common attacks. Where possible, enable automatic software updates.

6. Do not click links in emails.
If an organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious. Many spear phishing attackers will try to obfuscate link destinations by using anchor text that looks like a legitimate URL.

7. Use logic when opening emails.
If you get an email from a “friend” asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email, or visit the business’ official website to see if they were the party who actually contacted you.

8. Implement a data protection program at your organization.
A data protection program that combines user education around data security best practices and implementation of a data protection solution will help to prevent data loss due to spear phishing attacks. For midsize to larger corporations, data loss prevention software should be installed to protect sensitive data from unauthorized access or egress, even if a user falls for a phishing scam.

False billing scams request you or your business to pay fake invoices for directory listings, advertising, domain name renewals or office supplies that you did not order.

How this scam works
Your business might be sent an invoice, letter or invitation to be listed in a bogus trade directory or to renew your website domain name. Or the scammer might phone you out of the blue to confirm details of an advertisement booking or insist you’ve ordered certain goods or services. These scams take advantage of the fact the person handling the administrative duties for the business may not know whether any advertising or promotional activities have actually been requested.

Domain name renewal scam
Alternatively you could be sent a letter that looks like a renewal notice for your actual domain name, but it is from a different company to the one you have previously used to register your domain name.

The sender may claim that another company is seeking to register the same domain name, but they are giving you the brief opportunity to secure the name first. You will be told your chance to use the domain name will end if you do not pay immediately.

Contact us at (02) 6361 1116 or at support@colton.com.au for any assistance you may need with your security related needs.