With more people spotting phishing attacks from a mile away, attackers are turning more towards spear phishing. These targeted attacks have proven extremely successful and are often overlooked until it is too late.
What is Spear Phishing?
Much like a standard phishing attack, a spear phishing attack uses social media and other research tools to specifically target certain people. In a spear phishing email or phone call your attacker could use real names of people you know and interact with on a daily basis, or other information about you they have discovered through social media.
An example I like to use in my network security webinar is an email generated from the CFO of a company’s name. The attacker will register a gmail account with the name included like email@example.com. They typically can find this name by searching through a company’s LinkedIn profile or other social media pages.
The attacker will then find someone to target through the same method. They can look through LinkedIn to find the name of someone else in accounting. They may also find one other name to add legitimacy to the request. Attackers might even call to discover these names by using illegitimate requests or act like a sales call.
Once the attacker has all of the names in play, they will send their target an email from the fake registered Gmail account requesting money be sent. They will come up with a valid sounding excuse as to why they are writing from their “personal” email account. They may even drop the third name saying, I’ve already cleared this request with so and so.
Spear Phishing is on the Rise
Since the email is full of valid information, many people will respond to the request right away. This trend has increased dramatically since the pandemic hit and many people are now working from home. They don’t have the luxury of walking over to the person’s desk to verify the request. The victim may not even know who is out of town or working from home.
With this separation of people, things can get missed and protocol can be pushed aside especially when the request seems urgent.
How Can We Protect Ourselves from Spear Phishing Attacks?
The best way to combat a spear phishing attack is to put a system in place to verify any financial request. For example, if you get a request, you might have a plan to verify the request through a text message or a phone call instead of replying to the email. That way there is a separate form of contact prior to making any financial moves.
In fact, verifying any request is always a good idea. Whether it’s a request for information or a request to make a change. Even an email with an attachment could probably use a quick verification to make sure the attachment is legitimate.
Another way to help protect yourself against spear phishing attacks is to make sure your social media accounts do not reveal things about yourself that can be used to gain access to online accounts. Many password reset questions can be used in various online quizzes and games people play on social media. Just a simple perusal of your online profiles could give attackers everything they need to successfully phish you.
Definitely be aware of both your privacy settings and the kind of information you are giving out on a regular basis on your profile.
Just knowing about these spear phishing attacks can help you be more alert and attentive whenever you come across any message or phone call. Stay vigilant and you should come out on the other side relatively unscathed.