Spear Phishing

 

What is spear phishing?

Spear phishing is an email that appears to be from an individual or business that you know, but isn't. Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message may install malware on the user's device or direct them to a "look – alike" malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.

Sophisticated cybercriminals are using the techniques of professional marketers to identify the most effective types of messages to get the highest "open" or "click through rate". They build their assult around major events, holidays and anniversaries, or breaking news stories. After gathering information, the phisher will develop an email to mimic a "trusted organization" such as a bank. Some even create fake email accounts and pose as a victim's friend, sending emails from there.

Using some personal information they will request additional information or talk about an urgent problem. Sometimes there will be a link to the sender's website which will look almost exactly like the real thing where they ask you to input personal information. Scammers have been known to use JavaScript to place a picture of a legitimate URL over a browser's address bar. The URL revealed by hovering over an embedded link can also be changed by using JavaScript. A look at cases reveals the majority of spear phishing attacks are finance related, meaning the hacker wants to gain access to banking information. This can result in personal information captured, accounts drained and sometimes the whole identity is stolen. In other cases they just want to install malicious software onto a user's system.

Hackers are increasingly using this technique as a method to gain access to business systems. In other words, you may not be the target but your boss is. Spear phishing has become a great way for people to steal trade secrets and sensitive business data. How to avoid phishing

Like most other types of phishing related emails, spear phishing attempts can be easy to block. Here are some ideas to help you avoid falling victim. Follow the basic rule – Most banks, social media platforms and the like will not send you an email requesting personal information. Call and verify before you click a link. It is never a good idea to click on links without being sure where you are going. If you are unsure, phone the sender and ask. If you are provided a phone number, don't call it. Instead look for a number on a website or previous physical correspondence. These guys are sneaky. Look at the document – Phishing emails often originate in countries where English is not the main language. Look for spelling errors or strange sentence construction. The sender's email address can be a dead giveaway. When you spot them send the email as an attachment to spam@uce.gov and delete it from your inbox. Never give personal information out over email – Just plain common sense, you say? It isn't so common. If the sender requires personal information call their business and ask why, online can be risky.

Share only essential information – Some forms have optional fields if they need more information, find out why. This limits how much information is available for a hacker or careless employee for that matter. I always use a separate g–mail account for non business items. This cuts down on spam and provides a platform where I can look and see before I try.

Bookmark a security website –Security websites such as Norton, SiteLock and all have blogs where they post the latest in security threats and more. Review them often, chances are your provider has a blog.

Let me know your thoughts!   

Website security