Spear Phishing Attacks Target Businesses and Consumers

Takes standard phishing to a higher level...

In a recent CCT article I pointed out that online phishing attacks are becoming more sophisticated even as they pursue two basic goals—getting people to hand over personal data or placing malware on personal devices. In pursuit of even more specific goals, spear phishing has become a common tactic.

Spear phishing takes standard phishing to a higher level. The emails appear to be from a trusted source and are sent to targeted individuals with the aim of getting recipients to provide confidential data. Spear phishing can target consumers, but businesses are the most common target.

Any organization, large or small, that has useful data about customers or clients is a tempting target. Organizations that supply or partner with service providers or other large companies can be targets, even if they hold little valuable data themselves.

Spear phishing is done in one of three basic ways:

  1. Brand impersonation accounts for over 80% of all spear phishing according to one recent report. The key is that the email looks to be from a known and trusted entity. Last year over $800,000 was stolen from Cape Cod Community College after an employee opened an attachment in an email that appeared to be from another university. Fortunately, the employee realized that something was wrong and notified the college’s IT department. However, by that time the virus had spread to computers throughout the college. - The most noxious examples occur after tragedies of some type. Scammers impersonated a New Zealand bank to direct funds to fake accounts supposedly honoring the Christchurch victims. Here on the Cape it was a telephone scam purportedly raising money in memory of slain Yarmouth police officer Sean Gannon. Report these criminals and search for legitimate ways to make your contribution. Be careful as you search; fake websites are often created for legitimate charities. What they cannot fake is the genuine URL of the charity.
  2. Business email compromise accounts for only a small fraction of incidents but it can cause large losses. It involves emails purporting to be from a high-ranking company official instructing an employee to share data or to complete a wire transfer. This is a very specific type of scheme often directed at financial institutions and finance departments in businesses.
  3. Extortion is the third objective. Schools and health care organizations are constantly at risk from ransomware attacks that threaten to release student or patient data. School districts have also seen their data stolen and used to extort parents with threats of harm to their children.

Most businesses already have some types of protection in place, but vigilance is required to ensure they are activated and functioning properly. The antivirus protection in basic security software is a first line of defense. So is the email authentication that is part of email software packages. If malware does get through the original defense, it is likely to replicate itself quickly and infect computers throughout the business network and perhaps beyond, hence the need for vigilance.

The basic security packages are designed to protect computers that remain connected to the network. Todays business networks include many other devices—laptops, notebooks and smart phones, for example—that can connect to the network. They can quickly be infected by replicating malware. Endpoint security solutions are required to successfully manage threats to networks that include mobile devices. While there are DIY alternatives, they may be beyond the skill set of many business owners. There are many reputable firms that sell endpoint security solutions and they have informative explanations on their websites and blogs. At the end of the day, however, they are all trying to sell something. Look for guidance like this article that provides information as well as software reviews.

In the end, remember that no software can do its job if employees are not security conscious. This is a more detailed set of indicators of phishing emails, and it is worth reviewing with all employees.

CapeCodToday.com welcomes thoughtful comments and the varied opinions of our readers. We are in no way obligated to post or allow comments that our moderators deem inappropriate. We reserve the right to delete comments we perceive as profane, vulgar, threatening, offensive, racially-biased, homophobic, slanderous, hateful or just plain rude. Commenters may not attack or insult other commenters, readers or writers. Commenters who persist in posting inappropriate comments will be banned from commenting on CapeCodToday.com.