Online scammers are getting smarter. And one area of increasing threat is spear phishing.
You probably know what phishing is: an email, often badly written, trying to persuade you to divulge confidential information such as bank log in details, or asking you to click through to a site that will prove to be decidedly dodgy.
With spear phishing the scammers have taken things up a notch. For a start the emails tend to be well written. But they are also personalised. Highly personalised. What’s happening is that the scammers are targeting individuals, perhaps wealthy people or people who have access to things they want such as customer lists or corporate information. Once they have identified you as a target, they trawl your social profile, getting information form sites like Facebook and Twitter to identify things about you. They might even pay to get extra information from e.g. from genealogy sites. They then use this information to write an email that seems credible and relevant. For instance:
Dear Angie. Welcome to Acme Inc. It’s good to know you joined last week. Doris in HR tells me you like skiing. Well you might like to know that we have an Acme ski club and we are planning a little trip to the Alps next weekend. New joiners like yourself will get a big 40% discount so click through to find out more about the trip.
You click of course and – nothing seems to happen. But in fact your PC has been compromised with malicious software. What can you do about this. Well there are several techie things that your IT manager can put in place: setting the company’s firewall to block any emails that contain executable files, or running intelligent phishing detection software. But that won’t solve all your problems. There are a number of other things you need to put in place. And these mainly revolve around educating your staff:
- Tell people to be watchful. Describe what spear fishing emails can look like and what they do. And explain to them what they should do if they are suspicious. For instance if an email is asking for sensitive information they should check with a colleague. And if an offer is too good to be true, then it probably is!
- Ask people only to use their company email for business purposes; if they haven’t got a personal email help them to get a free one from Google or Yahoo. This will limit the potential ways users’ email addresses can get out onto the Internet.
- Teach people not to open email attachments from sources that they’re not familiar with. Similarly, warn people to take care when downloading software and apps to mobile devices; if they are not familiar with the source they should check it out and if they are familiar with it should should go directly to the source by typing in the url rather than clicking on a link.
- Teach people not to click on links in emails, especially shortened one. They should type in the URL directly. (Cutting and pasting the URL may not be a good idea because they may not have noticed a tiny change to the URL that means it isn’t going where they think it is). Similarly clicking on links in social media can be very dangerous: these links (often in surveys or special offers) account for over half of malware attacks.
- Accept that people are lazy and they are unlikely to type in email addresses so tell them that at the very least they should check where the link is leading by looking at the address which comes up at the bottom of their screen when they put their cursor over the link.
- Include in your social media policy advice or instructions on what corporate information not to divulge on social media (e.g. on LinkedIn). The more information you share the easier you are making it for scammers. Depending on your business and the employee’s role you may want to restrict information such as the names of people they report to, direct telephone lines and email addresses. Directors and IT personnel should be particularly careful about this.
- Tell people that if a “friend” emails and asks for a password or other information, they should contact that friend they really are who they say they are. They shouldn’t do this by replying to the email obviously!
- Reiterate that it is never appropriate to share passwords and PINs with anyone online or on the telephone.
- Explain to people that just because a link starts with HTPPS that doesn’t mean it is safe.
- Give people a taste of spear fishing. Send your colleagues a targeted spear-phishing email using an outside email address. Ideally dig up some information on their social media sites (Facebook, Twitter, LinkedIn, etc.) and use this to make the email seem credible. If this is impractical, for instance if you work for a large company, one thing you might do is find out which bank people’s pay is sent to (you won’t need their branch and account number and I’d hope HR wouldn’t give you that anyway). Send them a fake phishing message seemingly from that bank. When they click on the link tell them that they have been phished and give them some tips about avoiding this in future.
- You need people to report attempted attacks. Reward people for reporting suspicious emails and, if they do appear to be malicious, make sure everyone in your organisation knows to look out for them.
- You need people to report any instances when they think they have been scammed. After all you will need to check their PC and your corporate network. So make sure you have a “no blame” culture about spear fishing; and never discipline people if they fall foul of an attack.
The bad news is you are unlikely to be able to prevent 100% of spear fishing attacks as they are so difficult to detect. The good news is that you can prevent a lot of them by giving people the right information. Any other tips? Let me know and I will gladly share them.