Many users are familiar with phishing emails: fraudulent emails designed to look like they are from legitimate websites, so they can bypass your spam filters. These messages have links that take you to fake websites that capture your account information so malicious actors can compromise your account and steal your data. This type of attack vector works well when users don’t take the time to check the email before clicking on links within it.
But as users and spam filters grow wiser, we are now seeing more and more Spear-Phishing attempts. Spear-Phishing is like Phishing in that it uses email to trick a person into giving up information. But unlike the large blast emails with fraudulent links within them to multiple people, Spear-Phishing is targeted at specific people with specific goals. Spear-Phishing is used to not just to trick people into clicking on links and giving up their credentials and account information but to try and trick users into transferring money or data in direct response to the message. These attacks are targeted at specific people within organizations that the malicious actors research and define both what would be the most compelling messaging for them as well as what information they might possess that could be valuable to hackers.
Spear-Phishing is often called “whaling,” when they target high-level executives and important persons. And indeed, spear-phishing is growing rapidly in no small part because high financial returns continue to motivate cybercriminals to invest in this type of fraud that exploits human vulnerabilities.
ITeck clients are not immune to these targeted messages! In each instance that we uncovered spear-phishing attempts, the email account sending the message was a fraudulent account where the sender’s name is set to look like someone within the organization, usually an executive or upper level employee. These emails will ask for the recipient to send information, immediately pay an invoice, or purchase gift cards. Usually, this is for a relatively small amount for the business, which can further influence the recipient to make the payment quickly instead of checking with the boss.
|Spear-Phishing Case Study|
In one case of spear-phishing, one of our client’s employees received an email claiming to be from the head of his firm saying that the boss thought getting their clients iTunes gift cards would be a good gift. The fake message asked the employee to pick up gift cards and the firm would reimburse the employee. The user happened to be in the grocery store checking his email on his phone and replied saying sure, how many and for what amount. The malicious actor replied and asked the user to include the iTunes gift card codes in his reply once they were purchased. During the purchasing of the cards the user had a question and called his boss to get a quick answer. The boss, knowing nothing about this exchange, immediately assumed the organization’s account had been compromised and contacted us.
After securing the boss’s account, we began reviewing emails from the malicious actor. We determined quickly that the emails were sent to the employee’s personal GMail account not his work email and that the account was spoofing the boss’s name and was not a legitimate account; the organization’s internal email had not been hacked. Unfortunately, when the email was viewed in the iPhone default mail app it hid the email address and only displayed the boss’s name. The client has public profiles for some employees on their website, the malicious actor appeared to have gotten the employees names from the site and searched Facebook for how to contact them. We determined that the employee’s personal email was publicly visible on Facebook.
When the emails are viewed in webmail or in a proper email client the fraudulent nature of them was apparent to the user but not when viewed on his phone. Thankfully we detected the fraud before any money was sent to the malicious actors.
Protecting you and your organization from such attacks requires vigilance on the part of every person you employ. We’ve worked with many of our clients to create protocols that put a warning at the top of any email that arrives from outside the organization. This helps prompt users to stay cybersecurity aware and examine emails carefully, including who sent it and what the message is, before blindly clicking on links and/or attachments.
|Spear-Phishing: Lessons Learned|
|1.||If an email is asking for immediate confirmation of payment or codes for approval, ect, be very wary. Follow up via a different mode of communication to confirm the request.|
|2.||Act fast to identify the interloper. Pull in IT specialists to make sure that the vulnerability is understood and corrected.|
|3.||Be cautious when the lines and modes of communication differ from what is normal in your organization’s workflow and culture. If you don’t usually receive emails from your boss to your personal email, check carefully before taking any action.|
|4.||Communicate the experience clearly and effectively across all channels within your organization so everyone can understand the types of attacks possible and everyone can learn from the experience. Foster a culture in which there is both shared understanding and shared accountability – everyone is a part of the solution.|
However, this doesn’t protect from attacks targeting users’ personal accounts, as mentioned in our case study. Deterring this sort of attack requires employees to be involved in protecting themselves. Before clicking on any links within messages, they should check to see who the email came from — not just the sender’s name but also the email address. In addition, checking to see if the included their usual signature, or if the writing style differs from their normal style can be a good indicator or authenticity or fraud.
Users must be vigilant in their day-to-day routines because malicious actors are increasingly seeking to take advantage of these routines. Regular training and fostering a culture of cybersecurity awareness can help keep all employees knowledgeable of the types of attacks out there and the warning signs to look for.
This article is the second in an ITeck series on digital security. Check out the first piece in the series on Mult-factor Authentication.