Spear Phishing - Big Phish, Small Pond

Spear Phishing Big Phish, Small Pond

Phishing attacks have become increasing common in the UK.  A recent report found that over one third (36%) of all UK businesses had suffered a phishing attack in 2017, with an estimated one-in-twenty organisations suffering from data loss as a result of an attack. Phishing has been so successful for cyber criminals that they have refined their attacks to target specific individuals.  This type of targeted phishing attack is called Spear Phishing.  They are well planned attacks that use information gathered on a specific individual to trick them into divulging confidential information.

How does phishing work?

Phishing is the act of using electronic communications to acquire sensitive information by masquerading as a trustworthy person or organisation.  These attacks usually occur via email, but they can also come via mobile phone messages, telephone calls, social media, and Internet messaging platforms. Cyber criminals are usually interested in obtaining usernames, account numbers, passwords, or credit card details from the victim.  Some phishing attacks will ask the recipient to open a file, which contains malware that infects their computer.  The cyber criminal can then scan the computer to obtain sensitive information or track the user’s actions on the computer. The most common types of phishing attacks include:

• Deactivation scares This is an email or message that says one of the recipient’s accounts has been deactivated. It tells the recipient that they must provide their login details or some other sensitive information to reactivate their account.
• Look-alike (spoof) websites An email might claim to be from a trusted organisation like a bank or government body. Upon clicking a link in the email, the user is redirected to a look-a-like website, where they are asked to submit some confidential information. 
• Threatening messages Some phishing attacks attempt to scare the recipient into action. The message might say that the recipient is in trouble with the tax department or police unless they immediately make a deposit of some kind or divulge some sensitive information.
• Tech support scams Some phishing attacks look like messages from a tech department. They might request that the user divulges their username and password or some other sensitive information.

Spear phishing takes phishing a step further.  The cyber criminal will start by identifying the person they wish to attack.  They will then do some research or steal data to find out more information about the individual.  This may include details of the person’s associates, contact information, job, family members and so on. They will then craft a phishing attack that uses this information to convince the recipient that the message is genuine.  For example, they might masquerade as a friend of the recipient and ask them to open a file or to send some money.  Most spear phishing attacks will pretend that there is some kind of emergency and demand that the recipient take action immediately.  This is to prevent the recipient from taking a closer look to determine the authenticity of the communication.  

How criminals gather intelligence for spear phishing attacks

Cyber criminals use many different techniques to gather information about the individuals they are targeting.  They often use phone directories, credit reports, estate agent listings, blogs, social media, newspaper reports, and various websites to learn more about the potential victim.  The cyber criminal may also look at the sporting clubs and organisations that the potential victim is involved with. Most cyber criminals will scan the social media profiles of the intended victim’s friends and relatives, in case they have revealed some useful information.  Even seemingly useless information like the name of a person’s pet or their favourite hobby can be useful — as it helps the cyber criminal establish a list of possible passwords or usernames.  This information can also help the attacker create a message that will be interesting to the recipient.  

What criminals do with your information

Cyber criminals are interested in obtaining sensitive information for a number of reasons.  The most common reasons include:

• To steal your identity
• To access trade secrets or steal intellectual property
• To extort money from you or your business
• To steal money via your bank or credit card
• To infect your computer with malware so it can be used as a part of a botnet

How to protect against spear phishing

There are a few simple steps you can take to reduce the risk of a successful spear phishing attack, including:

Don't overshare online Avoid posting personal information that could be used by scammers to send highly specific phishing attacks.  Make your social media accounts private, don’t share your email address or mobile phone number on websites unless you have to.

Verify that the message is authentic Check that the communication is authentic by looking at the sender’s email address, account name, or phone number.  If you have received an email, check that the images/logos used are correct and that the links go to the correct address.

Check with the sender If you suddenly receive a message asking that you divulge some confidential information or send money, contact the sender of the message.  Don’t reply to the email or text message — contact them on the phone and ask them if the request is authentic.

Use cyber security software and firewalls Many phishing attacks can be identified and isolated by security software and firewalls.  Talk to a security consultant to learn more about the kinds of software you should be using.

Remember that you should never receive certain types of communications There are many types of messages that you should never receive.  For example, your bank will never email you asking for your username and password.  Tech support won’t ask you to install an attachment via an email.  The government won’t send you an email asking for your National Insurance number. 

Delete these emails or forward them to the ActionFraud (the UK’s national fraud and cyber crime reporting centre).

Thanks for reading Big Phish, Small Pond.  For more information on spear phishing prevention, or details of a simulated phishing programme, contact Yellow Room Learning today on 0800 292 2900 or check out our simulated phishing service.

About Yellow Room Learning Yellow Room Learning is a leading provider of information security awareness training.  Our team can help your business by training staff to have better information and cyber security awareness.  Contact us today to learn more!