‘spear phishing’ is a variant of ‘phishing’ where cyber criminals use individually targeted messages to attempt to trick people into giving up sensitive information or performing an action; the most common objective being to have staff transfer money into a 3rd party bank account. The attackers use a combination of research, using public sources such as websites and LinkedIn, and social engineering to create a customised email that individuals are far more likely to accept.
It should be noted that this is not a hack or something that can be blocked by technological means, but instead relies on human nature to succeed and must be prevented by awareness and education.
Most spear phishing is researched using social engineering and often by telephone. Be aware of any information about your organisation you are providing to unknown parties and how it may be used. An example might be a call from a company wanting to invite your head of finance to an event, and asking for their name and email address. If in doubt do not provide this information.
The following are signs you should look for that an email may be a phishing attack:
- Look at the sender’s email address – These email addresses can be spoofed to look like someone you know, but also, they could be one that has a different country’s or company’s domain on it (example.com.ru)
- Look at the subject line – Does it create a sense of urgency? Does it have one word in it but appears to be a response like “Re: Document”? – This is also a sign of a scam.
- Look at the body of the message – If the sender is a recognized sender, does it follow their normal emailing criteria – Does it have a salutation – is it directed to you specifically, or is it generic (Hi, vs Hi Adam,). Does it have a signature for the person who sent it? Does it match the name of the person you identified in the email address above? Does it have the company’s contact information and/or graphics that you’ve been accustomed to seeing if you’ve received mail from them before?
- Look at the content of the body – If it is asking you to transfer money or provide financial information be particularly suspicious. Always validate these requests with a phone call to the sender.
- Look at the direction of the message – Does it ask you to open the attached file or to go to a website link? Does it create a sense of urgency? With viruses, the purpose of the body is to entice you to open the attachment. A common method is by fear and urgency.
This is an important reminder to consider your insurance protection and whether you have an extension for Social Engineering Fraud.