Spear Phishing: What Is It and How Can It Catch You?

Spear Phishing: What Is It and How Can It Catch You?

October is National Cybersecurity Awareness month and this week, we will explore a sub-set of phishing topic called “Spear-Phishing.”

The large–scale propagation of news reports on cyber-attacks and phishing scams suggests that global conglomerates and corporate titans are most susceptible to fixation from cyber criminals. The unfortunate truth is that small and medium-sized businesses face the same cyber-security threats their larger counterparts do. Subsequently, the sheer volume of customer data obtained by both small and large businesses puts consumers at risk to some extent as well.

Regardless of the level of sophistication, antivirus and security software cannot prevent or defend against every type of attack. Real human insight can ward off certain threats, some of which have the potential to be extremely customized in their targeting. Let’s examine the rising danger of spear-phishing in-depth for these purposes.

A spear-phishing attempt is often part of a hybrid attack. Using a combination of email, internet browsing, and file shares, cyber criminals will deploy social engineering techniques to craft seemingly legitimate correspondence. Directed to the target, spear-phishing campaigns are executed by hackers who have done their homework and learned the names of the target’s colleagues, and external associates. Surprisingly, cyber thieves can identify friends and perhaps even the associations or churches the target belongs to, as well as schools the target’s children attend. In the case of spear-phishing, vigilance – and what may at times seem like paranoia – can sidestep these threats.

Based on data collected by ThreatSim, Verizon calculated that “running a campaign with just three phishing emails gives a hacker a better than 50 percent chance of harvesting a click. At six emails, the probability goes to 80 percent, and with 10 emails, it’s almost 100 percent certain that a target will have clicked and let a malicious payload into a targeted computer.”

Additionally, on some sites that hackers love – social media and banking websites – emails are used as usernames. A hacker who knows his target’s email address would then know their likely username for some accounts and could then try to crack the target’s passwords on those accounts.

If you, a family member, or co-worker receive one or more emails or private messages on social media from a suspicious source, take a pause. Decide whether there is a need to lock down existing digital presence. These attacks can come in waves.

If something is indeed “phishy” then your information may have been compromised and it is best to contact a professional to begin the process of recovery.

 

Resources

The Straits Times

Gizmodo

SC Media

Health IT Security