We are all aware of the threats associated with spam email but what about the more sophisticated email scams? In the latest of our #BackToBasics series of posts we take a look at the ever-evolving cyber threat of spear phishing.
Your email inbox is full to the brim of unread messages and you have fifteen minutes to sift through them all before your next meeting. You scan through the list and see a request from a Nigerian businessman asking for your bank details to transfer millions of dollars to you. You consign it to spam and move on. There’s an email from your bank, a few from suppliers and one from your company’s technical director, James, asking you to change your password and username by following the link.
A few clicks later and you’ve changed your password and all is sorted – a quick win. But, was the message from your technical team? Last time you changed your log in details, wasn’t it through the internal system? In your rush, you’ve fallen prey to a spear-phishing attack.
What is spear phishing?
Spear phishing is a type of spam message and was one of the fastest growing cyber threats last year. ‘Every day’ spam comes from a random source and is an obviously unsolicited message – like the infamous Nigerian bank account spam messages. Phishing is a more targeted form of spam, the messages appear to have been sent from a large, trusted corporation like eBay, PayPal or a bank.
Spear phishing takes it to the next level. Messages sent in a spear phishing attack are highly targeted to make them appear to have been sent from a closely-trusted source, for example a person in authority in your company or a member of your company’s technical team.
Who carries out spear phishing attacks?
This type of attack is rarely used by random hackers. As the attack is very targeted and specific, the perpetrator usually carries them out for a particular reason, for example financial gain or trade secrets.
This type of attack has also been used as an example to teach military personnel the risks of trusting electronic communications. During this test 80% of the recipients of the fake spear phishing message clicked the link within it – this could have led to spyware or malware being downloaded onto military systems.
How can I protect myself and my business?
- Effective mail filter technology will prevent you receiving the messages in the first place.
- Never share your personal data via email – if it is a request for information from your company, share the information in person or on paper. Banks will never ask for your account information via email.
- Read, re-read and read the message again. The messages are designed to fool you and it is easier to do if you are in a rush.
- If you’re ever in doubt, don’t click the link or reply – pop over and have a chat with the sender or give them a call to confirm what they need from you.