Spear-phishing is an attempt by a hacker to obtain confidential information about a user through fraudulent means by targeting a specific employee in order to gain access to information. While phishers are usually attempting to steal from the victim, spear phishers attempt to compromise the victim’s company’s network and systems to steal corporate secrets, intellectual property, customer details and other valuable information. “Spear phishers play on people’s emotions, and often use curiosity, fear or the offer of a reward to arouse interest,” says Scott Greaux, a VP at anti-spear phishing training firm Phishme by use of email. Spear phishing uses the weakest point in security and that is us (people) as Bruce Schneier states “People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.” by use of social engineering to deceit, manipulate and “influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail.” ~ Kevin Mitnick. Fig. I – Spear Phising Email (short for electronic mail) is a method of exchanging digital messages. It is the commonly used mode of communication within organizations network because it is cheap, fast, reliable and efficient compared to the traditional methods of sending typed letters and memos. Email can be used to send messages to outside network (external mails) on to other office colleagues (internal email). Just like letters which were prone to theft, unauthorized access and losses. Emails also are prone to various kinds of attacks like Spam, Spear phishing, malware and Denial of Service Attacks (DOS). Most organizations have experienced phishing whereby users receive an email that you have won visa, lottery worth millions of dollars, or request from Head of certain bank that somebody wants to transfer money not claimed and they are willing to split; all what is required is you to send your bank details, full name, account number, where you live, mobile phone and any other confidential information relevant to the transaction. Most of us we fall into this trap because “People are prone to taking mental shortcuts. They may know that they shouldn’t give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of a perceived authority figure – all these are triggers, which can be used by a social engineer to convince a person to override established security procedures” (Kevin Mitnick). This is a usually a syndicate of international criminals running a scam to steal your identity and clone banking details to develop fake debit and credit cards to steal money. Fig II – Spear Phishing Another example is by use of organizations internal email where users receive an email purporting that its system administrator/ help desk officer or another trusted source and that he/she want you to send your password to be able to log into your machine to sort you out. The email can also have an attachment purporting it’s from HR office. Attached documents may contain malicious software and the moment you download; a payload is delivered into our computers and this can be a computer virus or a make our PC to be zombies to steal passwords within the organizations network and send to criminals who are praying for our information. Emails might also contain a link that you can be requested to click and be brought to a bogus replica websites where you will be told to enter username and password. Sometimes, just clicking the link is enough to install malware on your machine, which may allow the attacker to take control of your computer and continue their scheme. This and many more are examples of phishing threats affecting our information security environment and no system that can mitigate it but all of us. How to prevent spear phishing attacks?
- Don’t ever open emails or respond to emails from unknown persons. Delete them completely and report to respective security department;
- Don’t ever open attachments from unknown email address;
- Never forward email from unknown sources;
- Don’t share private email addresses in social media websites;
- Be Smart – If a “friend” emails and asks for sensitive confidential information, call or email (in a separate email) for that friend to verify that they were really who contacted you. First of all, most organisations nowadays won’t email you asking for passwords or account numbers. If you think the email might be real, call back.
- Use strong email passwords as per your organization password policy.
- Report all suspicious email to security within your organization so that an investigation can be done to identify the source of the messages and for verification
Remember always that security starts with you!