Spear phishing: when hacking gets personal
Anyone who spends the first part of their morning trawling through hundreds of emails knows they’re vulnerable to phishing attacks. We’ve all been subject to urgent requests to click through to forms and landing pages posing as bona fide companies.
Phishing is a fairly crude way of hacking into someone’s space to fool them into parting with money or personal data. Attackers flood the corporate world in the hope that someone, somewhere, isn’t paying enough attention to the authenticity of their emails. It’s like casting a net behind a trawler. Most of the catch is small fry, but there’s a chance you’ll drag up a few big fish along the way.
Most of us have got wise to these scammers. So to cut through security software, junk filters and more aware users, scammers have needed to get smarter social engineers who know that the surest way to fool someone is to pretend to be someone they know and trust. Spear phishers.
Getting to know you
Spear phishing targets individuals, with personalised emails, in much the same way as legitimate businesses use email and social media platforms to single out and target their best and most valued customers. At first sight, the messages appear to come from someone every bit as authentic as your desk buddy, hooking you with familiar names, events and recent transactions. They’re not fussy about who they impersonate, as long as they get results: it could be your bank, a longstanding client or supplier, another employee, even your boss or a member of your own family.
In opening up multiple ways to talk to and attract customers, businesses have opened themselves up to abuse. Hackers have a rich and freely accessible pool of information that they can legitimately research to become your ‘friend’, scraping email addresses, friend names, locations, information on new purchases or places of employment from social media accounts. They can trawl company newsletters, blogs, press releases and company web pages. A platform like Linked In is an absolute goldmine for a spear phisher.
Who’s the target?
In 2018, business email scams cost US businesses $1.2 billion and individuals more than $48 million1. You could so easily be next. Especially if you’re a big fish.
A recent Rapid7 experiment managed to fool three-quarters of the CEOs it targeted.
Why? Because top execs are actually quite soft targets. Under pressure, juggling time-critical tasks they make assumptions and decisions based as much on instinct and human nature, as harsh reality.
Psychologists call this attentional or cognitive biases. “… the instinctive leaps our minds make—our gut reactions and things we ‘know’, though we’re not sure how we know them. Scientists believe they are a relic of evolution: little shortcuts programmed into our minds to help us process information faster. But they sometimes lead us just as quickly to the wrong conclusions.” 2
What can you do about it?
While spam filters, malware detection and antivirus tools will catch a large percentage of phishing emails, most of the detective work is down to you.
Never take anything at face value. Just by being alert to the risk can be enough to make you think twice before you click that link. If ever you’re asked to hand over money or information, always question it, dig a little deeper and make sure the email is genuine. Just a quick phone call to your colleague or a web search will confirm the request came from them. Or not.
Don’t confuse urgency with importance. Hackers use urgency to trigger emotional responses and blind your common sense. The pressure to ‘act now’ often comes with a request to fast track payments without the usual checks and procedures. Why would you do that?
Instill a phishing-aware culture, with phishing simulation tests, user education and an established process for users to report suspicious emails to the IT security team. Deploy strong security measures to authenticate and block suspicious activity. Thanks to AI advances, novel cyber security solutions are able to leverage machine learning to identify malicious emails, URLs, and attachments, as well as attempts to impersonate business associates.
Of course, in theory, there’s nothing to stop hackers exploiting these tools for their own gains…
In the end, everyone needs to own the risk and take responsible steps to mitigate it. And sometimes all it takes is a little common sense – and a generous sprinkling of scepticism.
1 FBI 2018 Internet Crime Report