How to avoid being impaled by a spear phishing campaign

Over the past several weeks we have offered a number of tips on ways to identify phishing emails and other malicious content that we face on a day-to-day basis. Today we’ll look at another way we can avoid becoming a victim of spear phishing.

To start let’s take a quick refresher on what separates a regular phishing email from a spear phishing email. Of the two, phishing messages tend to be more general and lacking detail, looking to cast a broad net on potential victims. Spear phishing messages on the other hand will contain specific detail and relevant context. Spear phishers will spend a significant amount of time identifying potential victims within an organization, what their roles are, who they report to, etc., all with the goal of crafting a believable message that the target is likely to act on. Those actions generally involve executing some type of financial transaction such as a wire transfer, or providing sensitive data such as employee W2 data or medical records.

So now let’s look at a spear phishing scenario:

Step 1 -  Information Gathering: The spear phisher does research on the target organization, utilizing the internet and other public records to identify key individuals within the organization as well as things like the organization’s domain names and email format. So through their research they are able to determine that John Smith is the CEO and that Kathy Jones is the director with the HR department. They also determine that the organization’s domain is buffalo-inc.com and their email format is firstname.lastname@buffalo-inc.com.

Step 2 – Preparation: To prepare for the spear phish, the phisher registers the domain name bufalo-inc.com and then opens an email account with public email processor using the address john.smith@bufalo-inc.com. They then create the phishing email and send it.

Step 3 – The Phish: Kathy Jones receives the following email:

From: john.smith@bufalo-inc.com
To: Kathy Jones
Subject: Urgent request for employee data

Kathy,

Just found out we are facing an audit for some payroll issues. I urgently need you to send me all W-2 info for all staff employed between 2010-2015. Nobody else can know about the audit so please don’t share the request.

I am currently traveling and cannot be reached by any means other than email.  Please reply to this message and attach the requested information ASAP.

Thanks for your help.

John

Step 4 – Reel it in:

Kathy of course wants to be a helpful employee and help out an Executive. Having a couple of questions, Kathy replies to the email for some clarification. She promptly receives a reply confirming the request. As such, Kathy quickly assembles the requested information, replies to the email and attaches the data file.

Kathy has just been spear phished resulting in a significant loss to her company. The phish could have just as easily been a request for a wire transfer, a request for medical records, or a number of other things but the end result would have been the same.

What were the clues that should have raised a red flag for Kathy:

  • One-off data elements. Instead of buffalo-inc.com, the domain on the email address was bufalo-inc.com. Many busy people wouldn’t take notice of this but it is always a good idea to take notice of the sending address when replying to any message. Would you catch the difference between unchealth.unc.edu and uncheath.unc.edu if you were in a hurry?
  • False urgency. The phisher attempts to create a sense of urgency by using the guise of a secret audit and request for an ASAP response.
  • Limited contact options. The phisher limits the contact options to email.
  • FUD. As we have talked about before, phishers rely on the concepts of Fear, Uncertainty, and Doubt.  The message instructs Kathy that whatever you do, don’t tell anyone else about this audit creating some FUD.
  • Role appropriateness. How likely is it that the CEO would go directly to Kathy for this information as opposed to contacting Kathy’s boss? It could happen, but how likely would it be?

So finally, how do you avoid becoming the victim? We all want to be helpful and comply with requests, especially when they come from a superior. However, sometimes it is better to be a reasonable skeptic first and helpful second. An easy way to avoid falling into this trap is to break the email chain. When you receive a request such as this, do not utilize the original email message to confirm the request or carryout the request. 

  • Start a new email chain with the requester. Address the new message using the internal address list and never rely on the address in the original message.
  • Don’t rely on email at all.  Call the person and confirm the request. If the original email contains a phone number to call them at, don’t use it. Find the number independently.
  • Do not get deceived by any of the elements listed above. Take the time to verify the request through proper channels before complying. 
  • Being helpful does not preclude being prudent along the way.

 

Filed under: