Spear-Phishing: Don't Take the BaitSubmitted by Karstens Investments on October 31st, 2019
by Deborah Kavan
By now, most online and email users are familiar with the term “Phishing.” Phishing is a broad term for any attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. Attackers often disguise themselves as a trustworthy entity and make contact with their target via email, social media, phone calls, and even text messages. Many phishing attempts start with a “spam” email. Spam is the electronic equivalent of the physical junk mail that arrives in your mailbox. However, spam is not only annoying, it can be dangerous if it is part of a phishing scam. Luckily, it is generally not that difficult to spot a phishing attempt – the most common red flags that we’ve seen again and again are: when the scammer attempts to create a sense of urgency/emergency; or, when grammatical errors in the email make it obvious that the author is not using their first language. We’ve all received emails like that and by now, we all know to just delete them without clicking any links or providing any information.
Unfortunately, as potential victims have become savvier in identifying and thwarting phishing scams, cybercriminals have responded by becoming more sophisticated in their attempts. Think of “phishing” as casting a large net over open water and hoping to catch a few victims. I like to think that I’m a smart enough “phish” to recognize the net hovering over me and to swim clear of it. “Spear-phishing” on the other hand, is a targeted attack on a specific person or entity. Think of this as the “phisherman” poised directly over you, aiming specifically at YOU. In addition, the criminals are posing as a friendly face and have already done extensive research and homework in order to spear you. Many “phish” would fall victim to a predator who was wearing this camouflage and who had already researched specifics such as habits, diet, and habitat.
Spear-phishing attacks target a specific victim, and messages are modified to specifically address that victim, purportedly coming from an entity that they are familiar with and containing personal information. Spear-phishing requires more thought and time to achieve than phishing. Spear-phishing attackers try to obtain as much personal information about their victims as possible to make the emails that they send look legitimate and to increase their chance of fooling recipients. Because of the personal level of these emails, it is more difficult to identify spear-phishing attacks than to identify phishing attacks conducted on a wide scale. This is why spear-phishing attacks are becoming more prevalent.
Spear-phishing emails have improved within the past few years and are now extremely difficult to detect. Spear-phishing attackers target victims who put personal information on the internet. They might view individual profiles while scanning a social networking site. From a profile, they will be able to find a person’s email address, friends list, geographic location, and any posts about new gadgets that were recently purchased. With all this information, the attacker would be able to act as a personal friend or a familiar entity and send a convincing but fraudulent message to their target. The purported “familiar entity” could be your tax professional, your attorney, or even… your financial advisor. Please know that although our office might send an email to you that says something like, “Hi Doctor! Now that you are back from your beach house hunt in Florida, we should get together soon to go over funding the purchase from your non-taxable accounts. Besides, I can’t wait to hear about your eighteen holes at Sawgrass,” we would NEVER follow it with, “Just click on the link below to schedule your review for the open time that works best for you.” This is an entirely fictional situation, but a cybercriminal could have easily put this email together if our imaginary client had posted a picture of themselves at the golf course recently; and in an entirely different post on another social media site might have mentioned wanting to retire on the beach in Florida. That person could have also “liked” Karstens Investment Counsel on Facebook and listed on their own LinkedIn account that they are a surgeon. Avid golfer +Florida beach retirement+probable client of Karstens Investment Counsel+surgeon=all a spear-phisher needs to know to prey on you. It is just that easy for someone to obtain all this information online and then put together a legitimate-sounding email asking for your private information or asking you to click a link or open an attachment that will then download malware to your computer.
The days of a criminal going through your discarded postal mail in your trash bin are over. It is far easier and more effective for a cybercriminal to research you online. To prevent becoming a victim:
Be careful of the personal information you post on the Internet. Look at your online profiles - how much personal information is available for potential attackers to view? Is there anything that you do not want a potential scammer to see? At the very minimum make sure that you’ve configured privacy settings to limit what non-friends can see. The only stranger that will care about the fact that you’re vacationing in Australia is probably someone who will misuse the information.
Frequently update your malware and anti-virus software. If your software provider notifies you that there is a new update, do it right away. Most software systems include security software updates that should help to protect you from common attacks. If possible, enable automatic software updates.
Do not click links in emails. If an organization, such as your bank, sends you a link, launch your web browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the address that appears does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious.
Use logic when opening emails. The best defense is to double-check all suspicious emails or texts by calling that “friend” at a known number (NOT the number that is provided in the email) to verify the authenticity of the request. If you get an email from a “friend” asking for personal information or your password, carefully check to see if their email address is one that you have known them to use in the past.
Finally, if you suspect that you have been the target of a spear-phishing attack, please be sure to call our office at 800-480-9085 so that we can watch for suspicious activity in your accounts and assist you with additional precautions.