Have you ever wondered what is the difference between phishing and spear phishing? Well, you may be surprised to find out that you don’t use a spear in spear-phishing. Ok, you probably weren’t wondering that, but there is indeed a distinction between the two.
Phishing is any type of attempt to bait a user into performing an action such as opening an attachment in email, clicking on a link, or clicking on an advertisement. It’s usually more individual and personalized. An email may look like it was sent from a friend or colleague, but is actually sent by someone who wants information from you such as your social security number or credit card information or to install malware on your device.
Spear-phishing, on the other hand, is a bit more serious. A message still may come from what appears to be a trusted source; however, it is more likely that the sender will look like a colleague in your company or a vendor. The attacks are not from “random” hackers, but more likely from organized groups or individuals out for financial gain, trade secrets, or even military information. Often times, it may seem to be from someone at an executive level asking the recipient to perform some task such as a wire transfer or to send W-2 information as happened recently to some in companies such as Seagate and Snapchat.
People fall for this because it may seem to be a reasonable request. For example, there are so many online accounts that it may not be out of the question for the CEO to ask for login details to a financial account. However, it’s never a good idea to provide any confidential or sensitive information or to perform tasks such as transferring large sums of money without confirming the request. To do this, don’t just reply to a message and never send this type of information in an email message. Walk to the requestor’s office or desk or call him or her on the phone.
If you don’t have procedures in place for getting multiple approvals for wire transfers, it’s advised to do so. Always confirm them, have someone independently verify the funds, and make sure that without a doubt it is the intention of the requestor to do this.
There are several ways that spear-phishers get the information needed to perform these attacks. Social media accounts such as LinkedIn provide ample data mining resources. Many details were recently leaked from a data breach of that company, but the reality is that a breach doesn’t even need to occur. Most people post their names, titles, job functions, etc. on that site. This makes it easier for someone to find an employee in the finance department that may be responsible for performing financial transactions. Be cautious of what you put online. If you don’t need to put your title or specific job functions on your profiles, don’t. If you do work in an accounting or finance department, perhaps be a bit vague.
The FBI also lists some recommendations for avoiding becoming a victim of BEC and other financial crimes:
- Verify any changes to vendor payment information and confirm any funds transfer requests
- Be wary of any requests that seem urgent or an emergency or of which the sender request secrecy
- Implement multi-step procedures for wire transfers
- Implement intrusion detection systems and set them to flag email addresses that look similar to the company’s, but are not exactly the same.
- If possible, register all domains that are similar to the company URL. This will prevent a cyber criminal from using your company for domain jacking (do-jacking) attacks.
Business email compromise (BEC) scams are on the rise. Earlier this year, the FBI warned that BEC hit the $3 billion in losses mark. Wire fraud phishing scams are increasing in 2016 and will likely be close to $1 billion in losses to victimized companies.
Blog contributed by Stickley on Security