Gmail interface in corner of laptop screen

Don’t be a victim of email spear phishing

One specific type of phishing attack is called “spear phishing.” Unlike standard email scams, spear phishing includes several elements of social engineering that are intended to deceive the email recipient to a much larger degree.

Spear phishing is “the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.” Another frequent and unfortunate consequence of Spear Phishing is monetization. These attacks are also more frequent at the end of a major accounting period such as quarter or fiscal year end.

How does spear phishing work?

There are several steps involved in a successful Spear Phishing attack:

  • Executive Level Social Engineering: The malicious actors will research your company. They will identify names of leaders in the organization (which is often published on the company web site or other social networks). Once identified, the malicious actors will create an email or message that strongly resembles company correspondence and send to associates of the company until they receive a response.
  • Manager, Staff, Customer and Supplier Social Engineering: Not only executives are susceptible. You may be an associate with Accounts Payable responsibilities and find yourself a target for an attacker looking to monetize by acting as a supplier looking for payment.
  • Distributing the Message: Once the targets and information are established, the attacker will send messages to-and-from very specific individuals with the intent of monetizing or gaining access to credentials which will then allow access to other sensitive information.
  • The Attack: Once the credentials are obtained, the attacker will use the login ID and password to gain access to other sensitive information or seize assets through denial of service or ransomware attacks.

Are spear phishing attacks successful? Unfortunately, the frequency of these attacks is increasing. It is estimated that 95 percent of attacks on business networks are the result of successful spear phishing. Security firm Trend Micro also estimated that spear phishing accounted for 91 percent of all cyber attacks.

What can I do to prevent a spear phishing attack?

  1. Understand how to recognize a fraudulent email. Look for the typical signs such as spelling, grammar, and punctuation errors. Also, take a moment and look at the email address of the sender.
  2. Make internal or external inquiries. Given the exposure that exists, follow up with a phone call to a superior, customer, or supplier to validate the credibility of the message.
  3. Never reveal sensitive user ID, password, or other authentication information through email or a phone call.
  4. If you believe that you’ve received a spear phishing message, report this to your Security Official immediately.

Be aware of your Information Security Policies and Procedures. Always consult your privacy and security official at BCN Services with questions.

From ATMP Solutions (edited and reprinted with permission) http://www.atmpgroup.com