Spear Phishing

Last week, our BDM, Steve Smith, posted an article about the perils of Email Phishing, giving advice on what to generally look out for to increase the safety of your inbox. As a follow up to that, we are going to look at a specific phishing technique used by bad actors – Spear Fishing.

The key is to understand the difference between Phishing and Spear Phishing. Like their similarly named fishing counterparts, Phishing is the casting of a wide net, looking for a large number of low yield “catches”. No huge effort, which leads to many people responding and low revenue from each. An early example of this would be the Nigerian Prince email scam.

Spear Phishing is, as the name suggests, a more targeted approach, requiring at least a modicum of information about the intended target. Instead of going for a net of wee fish, go for one larger, specific fish instead.

So, what do you need to look out for to ensure you don’t become a victim of Spear Phishing? Well, it’s not easy, but staying vigilant is number one. The criminals behind this strategy take time to investigate their targets, using Companies House records, company websites, LinkedIn profiles, Twitter accounts, etc. to find out who their targets are, who their clients and suppliers are. This allows them to spoof, or fake, plausible looking emails that are designed in a way to fool a busy person into clicking on them.

We mentioned vigilance, so let me offer an example of this. You work in the first tier of the Oil & Gas supply chain and your three largest clients are say, BP, Shell and PetroChina. Would you click on emails from the domains @8P.com, @shel.com or @Petr0china.com? Hopefully not as they’ve all been slightly amended. Noticeable on here no doubt, but as noticeable when these emails are about the 200th you received since lunch, you’re about to rush into a meeting, your mobile is pinging with texts and someone is knocking at your door. Just click the email and confirm payment of the attached file. It won’t take long…

And it can’t take long. Because the email you got seems urgent. This is one of the keys of Spear Phishing – engendering a sense of urgency. “If you don’t provide your bank details by 1400, your delivery won’t leave the supplier”, “We have sensed malicious activity in your account, please provide the information by close of business or your account will be suspended”. These are the kind of things you need to be on the lookout for. You’ve now got an email from someone you believe to be trusted and they need your help quickly! You’re a nice person, you want to help. Click.

Things have even moved on from this simple method of using attachments, as good email filtering and web filtering software can stop these getting through. What we see more of now are links to a document within a well-respected platform like Dropbox, Google Drive or One Drive, which will then open a log in page for you to put your credentials into. Say goodbye to your password at this point and that’s before you’ve even clicked on the document, which delivers a malware payload onto your network.

There are many pieces of software out there to assist you in the battle against Spear Phishing. These will all help to an extent, but as stated before – vigilance is key, with the addition to taking your time, are the best weapons in your defence. Taking a beat to remember if you were expecting this email, looking at the domain the email came from and realising these few seconds may save you and your business many thousands of pounds.

Next week, we will look at “Whaling” and how to protect from this growing threat.

If you need any assistance in forming an effective email security strategy or if you would like more information, please contact us and we will work with you to increase your safety online.