10 Ways to Snuff out Spear Phishing
March 8, 2018 by
What is spear phishing? To define spear phishing, you first have to understand the concept of phishing.
Phishing: is an online con game using social engineering and fear tactics in order to get the victim to take the bait. This can be via cold calls, pop-up messages on the computer, text messages and incorrect search engine results, but most often uses email. The motive is to extort the victim for money, installing malware, or to steal information such as credentials, credit card, banking details, or to aid in identity theft.
Spear Phishing: is a phishing scam that targets a specific individual, organization or business. The emails, text messages or phone calls are “tailored” to each victim.
Spear Phishing attempts may contain information such as friends names, hometown, employers, locations you frequent and items you may be purchased online. This is the most successful form of getting confidential information, accounting for 91% of attacks.
Here’s what the Digital Guardian has to say about Spear Phishing
The 10 Steps
Here are 10 things you can look for in email and instruct your users to do the same:
- If an email seems unexpected, be suspicious: Trust your instincts, don’t trust unexpected emails.
- Errors in the “From” email address: Emails often come from a domain close to a legitimate domain, but slightly different.
- Grammar and spelling errors in the body of an email: English is not always the phishermen’s first language.
- Blank space in place of your name. (Hello, [blank]) or other odd personal information: Spear Phishers are trying to use personal information to target you but the get some details wrong such as missing a name or using a more formal name. eg.: They use Robert but the context of the conversation would use Bob.
- Warnings of stolen information or winning a prize draws you to “click here.” Never click on a link in an email you did not expect, you did not win.
- Pop-ups that tell you to fix a computer issue by calling an 800 #: Know what brand of AV you have on your computer and have an idea of what its popups look like. Don’t respond to the rest.
- Link in an email doesn’t match the URL that the email originated from: You can usually mouse over a link in an email and look at it without clicking it. If something seems odd look more carefully.
- Any requests for personal information are “phishy”: The IRS will not email you for asking personal information, nor will your bank. If you are being asked in an email to click on a link and enter personal information or login for (bank, gmail, cell phone, etc.) go to the site from your browser by typing in the address yourself, don’t use the link in the email. If your bank sends you emails to click a link and log in to your online banking their cyber security practices are inadequate change banks.
- Desperation, Rush, or Fear: Phishing emails almost always use these 3 tactics to pull you into their trap. If you get an email from your “boss” desperately telling you to wire $10,000 somewhere question it. Go ask, call and ask, don’t reply to the email.
- If you click on a link and it looks insecure don’t enter any information: If you’re on a site logging in or filling out personal info, don’t trust it if it has a bad encryption certificate.
This is a great blog post from Malware Bytes with more information on spear phishing attempts.
How to Protect Yourself from Phishing Attempts
Keep personal information off the internet or at least set your privacy settings to limit what others see.
Have smart passwords – random is best. Or use two-factor authentication.
Keep your software updated. These updates fix “holes” the manufacturer already knows about.
Do not click links in emails! Hover your mouse over it to check the URL or go directly to the website listed by opening a new page in your browser.
Make sure emails are from who they say they are from.
Use a data protection program to protect your organization. CSB is a Barracuda Partner
Train your employees on how to spot suspicious emails.
Partner with Great People and Great Products
CSB is a Network Engineering firm based in Central PA, we have been helping clients with Cyber Security and many other network related challenges for over 12 years. Good email security and user training are a piece of good security framework every organization should implement. We partner with Barracuda because we believe in their products and service.
Barracuda just acquired PhishLine, LLC. With this transaction, Barracuda combines gateway security, data protection, AI-based targeted threat protection, and user awareness training to deliver comprehensive protection against email-borne threats.
Barracuda Sentinel is a comprehensive artificial intelligence (AI) solution for real-time spear phishing and cyber fraud defense. Delivered as a cloud service, Barracuda Sentinel utilizes artificial intelligence to protect people, businesses, and brands from spear phishing, impersonation attempts, business email compromise (BEC), and cyber fraud.
There are three main components to Sentinel:
- A multi-layer AI engine that detects and blocks spear phishing attacks in real time and identifies which employees are at highest risk of spear phishing
- Domain Fraud Protection that delivers visibility and analysis of DMARC reports, which prevent phishing and brand hijacking and ensure deliverability of legitimate email traffic
- Anti-fraud training including simulated spear phishing attacks for high-risk individuals (these individuals are identified using the intelligence gathered by the AI engine)
Want to Learn More?
CSB and Barracuda are offering a free webinar on Spear Phishing and Cyber Fraud. Join us on Wednesday, April 25 to learn more about cybersecurity threats to your networks. Registration is required. Check out the CSB Events page for more info.
Spear Phishing Part 1 was the topic of our last CSB monthly newsletter; next month will cover Part 2. If you’d like to subscribe to our newsletter, let us know.