If you’re knowledgeable about internet security, you’ve probably heard about phishing. You’ve undoubtedly received emails pretending to be from your bank or from Microsoft, asking you to send your password. Hopefully you know that you should never do that.
But there is a much more sophisticated version of this technique, called spear phishing. This is where an individual is the target of a very well-researched and personalized phishing campaign.
Even seasoned internet users can be tricked by spear phishing, so here’s how it works and how to stay safe from it.
How Spear Phishing Works
Spear phishing follows a well-known pattern. The phishers will begin by researching you and learning about the company you work for, your colleagues, and projects that you may be currently working on.
Then you’ll receive an email that appears to come from someone you know. As an example, it may reference a project you are working on or an issue you are dealing with. (Alternatively, it might reference a forthcoming event, or a mutual contact). In the email will be a link to a file you are instructed to download.
Often the file will be hosted by a service like Dropbox or Google Drive. When you go to the page hosting the file, you’ll be asked to enter your credentials. The log in site will look just like a legitimate Google or similar log in page.
But this page is actually being run by the scammer. When you enter your username and password, this information is sent to the scammer instead of logging you in. This can even work with two-factor authentication. When you enter your authentication code, this is sent to the scammer as well.
The scammer then has the username and password for your Google account or other important account. They can use this to access your other accounts too. Your security is totally compromised.
How Spear Phishers Make Their Messages Look Legit
Regular phishing emails are easy to spot if you know what to look for. But unlike the generic phishing emails that are sent out in bulk, a spear phishing attack is targeted to you specifically. The phishers use techniques to make their emails more convincing.
One common trick is for the phisher to buy a domain very similar to the real domain they want to fake a message from.
For example, if someone was trying to fake an email from makeuseof.com, they might buy the domain rnakeuseof.com. The r and n together look a lot like an m if you are reading quickly. If someone sent you a message from email@example.com you might well think it was legit.
Alternatively, a phisher might use email spoofing to forge a fake email from someone you know.
The email messages will be well-written and professional, with no spelling or grammar mistakes. And phishers can be very cunning in the way they make the emails look urgent and important. They could fake an email from your boss or from the CEO of your company—someone you wouldn’t want to question.
Phishers may even do research to find out when one of your colleagues is away on a business trip. Then they’ll email you, pretending to be that colleague, as they know you won’t be speaking to them in person. There are lots of ways for a phisher to find out about your company and to use that information to trick you.
People Who Are Vulnerable to Spear Phishing
As spear phishing is a targeted attack which requires a lot of research, scammers choose their target carefully. Phishers will pick out a person in a company who has access to key systems, or target individuals with a high net worth or who can access large funds.
The people most at risk from spear phishing attacks are general employees in a business, or anyone using their computer at home. Senior people in a company such as those working in management, or people working in IT, will be more at risk from “whaling” which is a cyber attack on high-value targets.
How to Stay Safe From Spear Phishing
With spear phishing attacks being as sophisticated as they are, you need to be careful. Even an innocuous-sounding message from a trusted friend or colleague could turn out to be a phishing attack.
Fortunately there are some practical steps you can take to stay safe and reduce the likelihood that a phishing attack on you will succeed:
- Whenever you receive an email, double and triple check the sender address. You need to look carefully to make sure the address isn’t faked or inaccurate. Just because an email seems to come from someone you know, looks like a regular email from them (with their signature, company information, and so on) doesn’t mean it is necessarily legit.
- Be suspicious if the sender makes the request sound very urgent, especially if they’re asking you to do something you normally wouldn’t. For example, if within your company you typically share files over a network drive, but now someone asks you to urgently download a file from a Dropbox, this is a clue that something isn’t right.
- Confirm a request by phone if it’s out of the ordinary. The best way to defeat phishing is to pick up the phone and speak to the purported sender for yourself. If the request is genuine, it will only take a minute to confirm. If it’s not, you’ll have dodged a potentially harmful situation.
- Watch out for files linked in emails. Even something that you might assume would be safe, like an Excel or Word file can hide malicious software. Be extra careful if a linked file requires you to enable macros, as this is a common way to install malware on your device.
Watch Out for Sophisticated Spear Phishing Attacks
Spear phishing is a much more sophisticated version of traditional phishing attacks. It uses a great deal of research to target a particular individual, by faking email correspondence from one of their contacts.
These emails can look very convincing and instruct the recipient to download a file which contains malware, allowing the phisher to gain access to the target’s email account or other accounts.
Watch out for these emails which may look legit but can be a way to compromise your accounts. And while you’re here, learn about other phishing techniques to be aware of like vishing and smishing too.
Image Credit: yanlev/Depositphotos