i-medIT Blog

Taking an Exploratory Stab at Spear Phishing

Taking an Exploratory Stab at Spear Phishing

Chances are, you’ve heard of “phishing” - a cybercriminal’s scam that steals data, access credentials, and other sensitive information by fooling a user into thinking they are providing this information to someone who is supposed to have access to it. However, there are a few different kinds of phishing, based on how it is carried out. Here, we’ll discuss the realities of spear phishing, and the risks it poses to your business.

What Makes Spear Phishing Different?

As a rule, spear phishing is a much more precise and personalized process. To keep to the “fishing” analogy, a generalized phishing campaign casts a wide net, trying to snare as many victims as possible with their scam. Utilizing vague and generic language, the ‘typical’ phishing attack is made to appear to come from a large organization, informing the user of some need for the user to take action, resulting in the hacker gaining access to the user’s information. This methodology makes the typical phishing attack fairly effective against many people, while simultaneously easier to spot if one knows the warning signs.

By comparison, spear phishing is far more precise. Instead of trying to find value in the quantity of targets snared in a trap, spear phishing takes the opposite tack. Using a highly targeted approach, spear phishing attacks are directed toward a specific individual within an organization.

This specified approach means that the generic messages that many phishing attempts leverage simply won’t be enough to fool the intended target. Instead, the hacker has to play investigator, seeking out as much information as they can about their intended target. Where do they work? What is their position in the company? Who do they frequently communicate with? Once the hacker has collected enough information to create a convincing message, they will typically spoof an email to their target. This email will usually contain some reference to a known contact or some in-progress project to make it more convincing and will request that the recipient download a file via a provided link.

However, while the link will direct to what appears to be a Google Drive or Dropbox login page, it is just another layer to the deception. Entering credentials into this page will give them right to the hacker for their use, breaching the user’s security and putting the entire business at risk in one fell swoop.

What Methods Do Spear Phishers Use?

Due to how spear phishing works, the messages sent by hackers need to be as convincing as possible. Combining extensive research with some practical psychology, a hacker has more ammunition to power their attacks.

As mentioned above, spear phishing is far less generic than the average phishing attempt. By referencing specific people, things, and events that mean something to the target, or appearing to come from an internal authority (a manager, perhaps, or even the CEO), the hacker can create a message that is less likely to be questioned. If the hacker writes their messages without any spelling or grammatical errors, as many spear phishers do, it only becomes more convincing.

These hackers are so reliant upon their target being fooled; many will purchase domains that strongly resemble an official one. For instance, let’s say you owned the domain website-dot-com. If a hacker decided to pose as you to launch a spear phishing attack, they might purchase the domain vvebsite-dot-com. Without close inspection, the switch may not be noticed - especially if the hacker creates a good enough lookalike website.

Am I A Target?

Of course, the research that a hacker has to do to successfully pull off a spear phishing attack is extensive - not only do they have to identify their target, they also have to figure out the best way to scam this target. Generally speaking, a hacker seeking to leverage spear phishing will focus their efforts on anyone in an organization who could potentially access the information that the hacker wants but isn’t high up enough in the organization to question an assignment from above.

Or, in more certain terms, a business’ end users.

In order to minimize the chances that a spear phishing attack will be successful against your company, you need to make sure that everyone subscribes to a few best practices. For example:

  • Pay attention to the finer details of an email. Is the message actually from , or does the email address actually read ? Did Christine/Kristine include any attachments? As these can be used to spread malware via email, you should avoid clicking on them unless you are certain the message is legitimate.

  • Is the message written to sound overly urgent? Many phishing messages, especially spear phishing messages, will try to push an action by making it seem as though inaction will lead to a critical issue. Another warning sign to look out for: any deviation from standard operating procedures. Don’t be afraid to question a sudden switch from Google Drive to Dropbox - it may just be the question that stops a spear phishing attack.

  • Speaking of questioning things, don’t hesitate to make sure that any messages you suspect may be spear phishing aren’t actually legitimate through some other means of communication. A quick phone call to the alleged sender will be well worth avoiding a data breach.

While spear phishing is a considerable threat to your business, it is far from the only thing you need to worry about. i-medIT can help your business secure its IT solutions and optimize them for your use. To learn more, subscribe to our blog, and give us a call at 630-549-6199.

Cloud Services Can Help You Build a Better Busines...
Tip of the Week: Proactive Maintenance Keeps Tech ...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, June 25 2019

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Tag Cloud

Tip of the Week Security Technology Best Practices Business Computing Privacy Google Cloud Hackers Innovation User Tips Productivity Internet Data Hosted Solutions Microsoft Email Network Security Efficiency Tech Term Hardware Mobile Devices Backup Malware Business Smartphones Workplace Tips Small Business Data Backup Communications Cloud Computing Smartphone VoIP Android Gadgets Business Management IT Support Windows 10 Managed IT Services Network Data Recovery Software Communication Browser Internet of Things IT Services Server Cybercrime Windows Cybersecurity Artificial Intelligence Router Mobile Device Computer Ransomware Chrome Business Continuity Miscellaneous Upgrade Spam Automation Computers Users Information Outsourced IT How To Collaboration Social Media Phishing BDR Productivity Mobile Device Management Applications Money Saving Money Word Disaster Recovery Office 365 Law Enforcement Social Engineering Operating System Save Money Quick Tips Data Breach Staff Alert Encryption BYOD App Bandwidth Vulnerability Wi-Fi Telephone Systems Safety Private Cloud Government Google Drive Settings Holiday Voice over Internet Protocol Data Protection Remote Monitoring Managed Service Data Security Paperless Office Facebook Passwords Two-factor Authentication Managed IT Services Bring Your Own Device Sports Connectivity YouTube Education Machine Learning Spam Blocking Botnet Infrastructure Password Windows 10 Telephone System Recovery Fraud CES Virtualization The Internet of Things Access Control Data Storage Software as a Service Networking Meetings Scam VPN Content Management Redundancy Google Docs Augmented Reality Data storage IT Management Avoiding Downtime Keyboard Comparison Physical Security Website Blockchain Microsoft Office Cryptocurrency OneNote IT Plan Internet Exlporer Servers Downtime Apps Training Health Public Cloud Unsupported Software Identity Theft Business Intelligence Cleaning Managed IT Human Resources Telephony Virtual Assistant Windows 7 Gmail Display Update Inventory MSP Cables End of Support Cast HBO Millennials Tech Support Help Desk Hacker Charger Mobility Biometric Security Files Multi-Factor Security Patch Management Wireless Internet Mouse Customer Netflix Skype Wireless Charging USB Devices Mobile Computing Monitor webinar PDF Flash Automobile Password Management Net Neutrality Touchpad iPhone FENG WiFi File Sharing Default App Current Events Internet exploMicrosoft Frequently Asked Questions Workforce Shadow IT Smartwatch Computer Care Office Windows 10s Travel Password Manager Legal 5G Black Market History Trending Wire Administrator Hacking Marketing Start Menu Cortana Accountants Chromecast Thought Leadership Camera Conferencing Amazon Work/Life Balance NIST ISP Managed Service Provider Authentication IT Infrastructure Knowledge Advertising Excel Telecommuting Shortcuts Employee Samsung Relocation Business Mangement OLED IBM Uninterrupted Power Supply Going Green Smart Office Microchip Tools Google Apps HaaS Entertainment Big Data Emails Sync Amazon Web Services Cryptomining Data Management NarrowBand Nanotechnology Remote Worker Investment Outlook Network Congestion Tip of the week Remote Work Electronic Medical Records Social Digital Signage Value Solid State Drive Recycling Manufacturing Supercomputer User Error Data loss Specifications Office Tips Document Management Search Engine Employer-Employee Relationship Practices HIPAA DDoS Addiction Warranty Online Shopping Safe Mode Database Wireless Technology Smart Tech Wiring ROI Humor IT Consultant Windows Server 2008 Virtual Reality Save Time HVAC Vendor Google Search Audit eWaste Cabling Robot Budget Screen Mirroring Firewall Bing Security Cameras Workers Flexibility Hosted Computing Business Technology Root Cause Analysis Cache Printer Reputation Wireless Evernote Digital Signature Unified Threat Management Hybrid Cloud Software Tips Credit Cards Hiring/Firing Enterprise Content Management Proactive IT Laptop Apple Computer Fan Criminal Smart Technology Risk Management Search Content Employer Employee Relationship Computing Infrastructure Two Factor Authentication Company Culture Politics How to Worker Techology Audiobook Compliance Instant Messaging Troubleshooting Information Technology Computer Accessories Assessment Managing Stress Best Practice Transportation Rootkit Remote Computing Regulation Twitter Printers Television Experience Benefits IT Support CrashOverride Books Webinar Public Computer Thank You Loyalty Video Games Music Battery Vendor Management Emergency Bluetooth IT solutions Scalability Wearable Technology GDPR Worker Commute Congratulations SaaS