Email scams and fraud have been around since the inception of email. Due to this, security has become more advanced and email users more aware of potential threats. As a result, hackers and spammers have become more sophisticated. Read on to learn about what is a spear phishing attack and how to prevent it.
What is a Spear Phishing Attack?
Spear phishing is a form of cyber–attack that uses email to target individuals to steal sensitive/confidential information. This information can include account credentials, financial information, etc.
The attacker disguises themselves, by sending an email that looks like it is from a trusted source (friend, entity, etc.), to acquire sensitive information. They gain this trust by using the information on the victim that they have found online.
How is Spear Phishing different than Phishing?
It is important to note that these types of attacks are similar. However, there are key differences to be aware of:
Phishing Attacks
- Not personalized
- The emails are broad and automated, the goal is to send as many emails as possible
- Normally one-and-done attacks
Spear Phishing Attacks
- Personalized
- Highly targeted attacks, often going after a specific target
- The attacker thoroughly researches the target
- Spear-Phishing emails are often just the beginning of the attack
How it is Done
The attacker will look at online profiles to find information on the victim such as:
- Email addresses
- Geographic location
- Friend lists
- Job title
- etc.
As a result of having this information, the attacker can pose as a familiar entity or friend and sends a convincing fraudulent message. These types of emails often have urgent warnings or explanations as to why the victim needs to act and provide sensitive information.
These types of scammers typically use two methods. Malicious attachments or spoofed websites.
Malicious Attachments
The target will be asked to open a malicious attachment. This will download malicious files/software onto the device allowing more access to personal data or internal networks.
Spoofed Websites
In the second type of attack, the email will claim that the target needs to change where money is being sent (paycheck, payment to a vendor). The link to do this will be a spoofed website. This link will not take the target to an actual website, but a fake one that the attacker has access to.
Once one of these actions has been taken by the victim, the attacker can then use the stolen information for any malicious activity they want.
How to Avoid Spear Phishing
There is no one way to fully protect against Spear Phishing attacks. However, there are steps that can be taken to guard against these types of attacks. Here are some of our top recommendations:
- Do not have a list of all email addresses of all employees on your website
- Never send out sensitive personal information via email
- Use strong passwords
- Frequently update operating systems, application and security software
- Do not click links in emails unless you know they are 100% reputable
- Implement security awareness training at your company
- Be sure to use logic when opening an email:
- Ensure if a friend sends an email asking for personal information, reach out to the friend prior to taking any action
- A business should never send an email asking you for your username and password or any sensitive account information
To learn more about protecting yourself from this type of attack or if you think you have fallen victim please contact us.