Impersonations by hackers are increasingly more common, sophisticated and targeted. These hackers aim to uncover your personal information, your business information, and your financial information for their personal gain. Today, the methods that they use are more sophisticated than a typo-filled email from a strange web address or staticky phone call.
Understanding the phishing methods that they use – and why they use them – can help you to protect yourself and your business.
What is Spear-Phishing?
Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, for malicious reasons. This is achieved by acquiring personal details of the victim. The attackers then disguise themselves as a trustworthy colleague or business partner to acquire sensitive information, typically through email or other online messaging.
Spear-Phishing vs Phishing
Spear-phishing can easily be confused with phishing because they are both online attacks on users that aim to acquire confidential information.
Unlike spear-phishing attacks, phishing attacks are not personalized to their victims and are usually sent to masses of people at the same time. The goal of phishing attacks is to send a phony email (or other communication) that looks as if it is from an authentic organization to a large number of people, banking on the chances that someone will click on that link and provide their personal information or download malware.
Spear-phishing attacks target a specific victim with personalized communications, designed to look like a message from a trusted source. These kinds of attacks require more thought and time to achieve than phishing. Spear-phishing attackers try to obtain as much personal information about their victims as possible to make the emails that they send look legitimate and to increase their chance of fooling recipients. Because of the personal level of these emails, it is more difficult to identify spear-phishing attacks than to identify phishing attacks. This is why spear-phishing attacks are becoming more prevalent.
Top 3 Types of Spear-Phishing Attacks
1. Impersonating Your Boss
Who wouldn’t respond to a request from their boss? many times, attackers don’t use complex tools or technology to try and trick you or your employees to wire money, send w2s, give up credentials, ect. They simply research both you and your employees/superiors by checking out social media accounts or your company’s “About” section. From there, they craft the perfect email (or string of emails) that looks like it’s legitimately from a trusted source. These messages typically do not contain malicious links or attachments, making them very difficult to detect with traditional email security solutions.
2. Impersonating Popular Business App Services You Use Every Day
Almost every business uses some sort of web-based application to help manage day-to-day workloads and tasks. Attackers are well aware of this and target trusted web services like Gmail or DocuSign as a way to lure unsuspecting victims. These attacks often try to get you to give up account credentials or click on malicious links. For example, you may receive an email informing you that you have unread messages, to reset your password, or to review or sign a document. From there, you’re taken to a fake website portal and accidentally give up your login information. These hackers will then use this to commit fraud or to launch a more targeted attack within your organization.
3. Impersonating Your Office 365 Account
Most businesses use Microsoft’s popular cloud productivity service; however, popularity can sometimes be a bad thing. There’s an inherent trust from users when they see an email directly from Office 365, and attackers are capitalizing on this trust. They craft emails that ask you to log into a seemingly “valid” web portal. From there, they can gain access to your account and proceed to send malicious emails to co-workers/employees. What do these particular emails usually contain? You guessed it – a message asking for more sensitive company information or money. Even though Microsoft Office 365 is still a relatively new tool, attackers recognize that it houses a rather large and growing user base, so they plan on taking full advantage.
Please contact us to learn more about our cyber security initiatives and how we can help keep your business safe and secure.