Spear-Phishing: Don’t fall for the bait

Phishing refers to malicious e-mails that are designed to trick you into clicking on a malicious attachment or link.  We often receive these as fake Apple iTunes message about a purchase we never made.  Some are easy to spot as fake and should be deleted and blocked.

Spear-phishing is a more targeted form of phishing.

Whereas ordinary phishing involves malicious e-mails sent to any random e-mail account, spear-phishing e-mails are designed to appear to come from someone you know and trust - such as a friend, relative, colleague - and can include a subject line or content that is specifically tailored to your known interests or industry.

Unlike phishing, spear phishing messages will address you by your name (e.g. Dear Laura, or Hi Dave).

For really valuable or lucrative individuals, attackers may study their Facebook, LinkedIn and other social networking accounts to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust.

An estimated 91% of hacking attacks begin with a phishing or spear-phishing e-mail.

Although your firewalls and other security products may help prevent malicious traffic from entering your system, e-mail is generally considered legitimate and trusted traffic and is therefore allowed into the network.  E-mail filtering systems can catch some phishing attempts, but they don't catch all of them.  Phishing attacks are so successful because people click on them at an alarming rate, even when e-mails are obviously suspicious.

One of the most famous examples of a spear-phishing attack that succeeded despite its suspicious nature targeted a security company in 2011.

The attackers sent two different targeted phishing e-mails to four workers.  The e-mails contained a malicious attachment with the file name “2011 Recruitment plan.xls”.

When one of the four recipients clicked on the attachment, the malware instantly opened and attacked the victim's computer.  The spear phishing e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file.

Don’t fall for the bait: how to protect yourself  1)  Verify the e-mail address of the sender.  Criminals will create email accounts with subtle differences to official one’s which you may not notice if you check your messages in a rush (for example, an official email from British Airways may look like Hello@BritishAirways.co.uk but the criminals may create a fake online like Hello@BritlshAirway.co.uk).

  2)  Never click on links or open unexpected attachments from suspicious messages.

  3)  Don’t call the phone number in suspicious messages as they could be fake.  Ring the relevant person on the official number directly.

  4)  Control how much personal information you share about yourself online.  The accumulation of your shopping habits, details of your employment, or how you like to spend your social life could be used by criminals to create messages which look authentic but has the intention to harm you.