Phishing & Spear Phishing

At ISL you can be assured we’re constantly on the lookout to ensure your systems are as secure as they can be. However, ‘phishing’ e-mails are getting more sophisticated, so ensuring your staff are well-educated is ever-more important; the single most vulnerable area on most networks is still human error.
With this in mind, please have a read of the following info, taken from Microsoft – actually, we recommend you share this with all your staff to make sure they don’t get caught out by fraudsters (note: this isn’t a technical document):

Spear Phishing Campaigns

Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. They are so targeted, in fact, that we sometimes refer to them as “laser” phishing. And because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email. That’s how good they are.

How did they get our contact info in the first place?

In a spear phishing campaign, the first thing an attacker needs to do is identify the victims. These are typically individuals who have access to the data the attacker wants. In this instance, the attackers want to infiltrate the human resources department because they want to exfiltrate employee social security numbers. To identify potential candidates they conduct extensive research, such as:
  • Review corporate websites to gain insight into processes, departments, and locations
  • Use scripts to harvest email addresses
  • Follow company social media accounts to understand company roles and the relationships between different people and departments
  • [ISL: consider how vulnerable even a LinkedIn presence can make you, because of what information you or your staff might share publicly…]

What techniques are successful – because they’re entirely plausible?

To execute the spear phishing campaign against the executive, the attackers will have uncovered the following information:
  • Identified senior leaders at the company who have authority to sign off on large sums of money
  • Selected the CEO as the credible source who is most likely to ask for the money
  • Discovered details about the CEO’s upcoming trip based on social media posts
  • [ISL: consider how vulnerable even a LinkedIn presence can make you, because of what information you or your staff might share publicly…]
Why it might work: Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee. People are inclined to respond quickly when the boss emails—especially if they say it’s urgent. This scenario takes advantage of those human power dynamics.

What are the potential consequences?

If the victim does accidentally open the spear phishing email and respond to the call to action, open a malicious attachment, or visit an infected webpage, the following could happen:
  • The machine could be infected with malware
  • Confidential information could be shared with an adversary
  • A fraudulent payment could be made to an adversary

So what can we do?!

Educate users on how to detect phishing emails—Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users identify phish using training tools that simulate a real phish. Here are a few tells that are found in some phish that you can incorporate into your training:
  • An incorrect email address or one that resembles what you expect but is slightly off.
  • A sense of urgency coupled with a request to break company policy. For example, fast tracking payments without the usual checks and procedures.
  • Emotive language to evoke sympathy or fear. For example, the impersonated CEO might say you’re letting them down if you do not make the urgent payment.
  • Inconsistent wording or terminology. Does the business lingo align with company conventions? Does the source typically use those words?
  • Encourage users to communicate potential phishing emails—It’s important that users flag phishing emails to the proper team. This can be done natively within many enterprise email systems. It can also be helpful if users talk with their peers about the phishing emails they receive. Spear phishers typically don’t send blast emails; however, they may select several people from the same department or with business relationships. Talking will alert other users to be on the lookout for phishy emails.
  • Secure your identities—A spear phishing campaign is often the first step that an attacker takes to gain more privileged access to company resources. If they succeed in duping a victim, you can reduce the damage with modern authentication techniques. For example multi-factor authentication (MFA) can block over 99.9 percent of account compromise attacks.
  • Deploy technology designed to block phishing emails—If users don’t receive the phishing email, they can’t act on it! Deploy technology that can help you catch phishing emails before they land in someone’s inbox. For instance, Office 365, one of the world’s largest email providers, offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 and improving catch rates of phishing emails.

However! Even though technologies are available/may already be in place to look for these sorts of e-mails, we cannot assume that automated systems are 100% failsafe, so please remember that good staff practices are the best final line of defence.

If you’d like any extra information or help on this or have any other questions, please get in touch.