By now, you are probably already aware of phishing, an online scam where cybercriminals impersonate legitimate organizations in an attempt to gain access to your personal information. However, have you ever heard of spear phishing and do you know how to keep yourself safe?
Spear-phishing is similar to phishing in that it also involves malicious emails being sent to victims. The end goal of both is the same - to infect targets with malware in order to gain information or money. Typical phishing campaigns randomly target a large group of individuals with generic tactics; phishing works to reach as many people as possible . However, spear-phishing differs in that it is highly targeted and emails are sent to victims that are well-researched beforehand. The emails or messages are carefully crafted for the specific target. This makes spear phishing emails much more difficult to detect by both spam detection systems and users, because they look like legitimate emails.
Spear-phishing campaigns are much more sophisticated and more difficult to stop. These campaigns often involve researching the names, roles and targets within the company or organization they are aiming to penetrate. Cybercriminals will absorb the information available to them in order to create a credible narrative to their scheme - they may use names, work places, or other sensitive information. With the wealth of information available online due to social media outlets like LinkedIn, it can be easy for criminals to decide who to target or impersonate. Similarly to phishing schemes, cybercriminals will involve documents containing malware or links to sites that will steal the victims credentials or sensitive information. Many criminals will make use of seemingly legitimate sites such as Dropbox, OneDrive or Google Drive in order to trick victims into complacency.
Spear-phishing is becoming increasingly common because of its effectiveness. A study found that 71% of organized crime actors employed spear-phishing in 2017 and that 53% of infosec professionals experienced spear phishing in 2017.
Spear-phishing attacks that target high-level executives are known as whaling (or “whale-phishing”) attacks. In these situations, cybercriminals often impersonate the CEO or another high level executive within the company or organization in order to coerce the victim into sharing sensitive information. One experiment found that executives are likely to fall victim to these attacks and about 75% of targets were fooled by whaling attacks.
Although spear-phishing is more difficult to detect compared to traditional phishing techniques, this does not mean that they are fool-proof. There are some things that you can spot within an email that should raise a red flag. Incorrect or slightly different emails are one of the biggest warning signs. These cybercriminals often exploit a sense of urgency and rely on the fact that you will overlook the small mistakes in the email address in your haste. Furthermore, the message of the email will often urge the user to break company policy or norms (such as asking for the employee to fast-track payments) - this should raise another red flag. Again, here the cybercriminals are trying to play to your emotions and require you to perform an “urgent” task. Finally, another trait to look out for is odd wording or terminology. Pay attention to the messages and tones and see if it actually lines up with previous messages or emails that you have received from the user.
With next-level email security you won't have to worry about detecting phishing scams yourself. We monitor all incoming emails for potentially malicious links and attachments. If we find anything even remotely suspicious, you'll be the first to know.
Some of the incoming malicious emails will be blocked completely, while others will show up still in your inbox with a notification stating that there may be malicious phishing content within the message.
We also provide monthly reporting which will allow our clients to see exactly how many incoming phishing emails they were able to divert.
Find out more here or at www.cyberunit.com