There are few social engineering scams as proven effective as a phishing attack. But what exactly is spear phishing? This is when a hacker sends out a massive amount of emails where he or she pretends to be an authority figure asking for login credentials from the recipient. We’ve talked at length about these schemes previously, but a recent trend is completely changing how criminals are working this scam.
Spear phishing, as it has come be known, is a more targeted attack than the standard phishing campaign. This is where the hacker finds out as much as possible about the victim to trick them more easily into falling for the spear phishing scam.
Advantages and disadvantages to spear phishing
To better understand this attack, and thereby avoid one, it’s important to see the pros and cons of spear phishing. On the plus side, the target is more likely to believe a scam email if the sender has a lot of personal information about them. Something as simple as referencing the name of an employee’s daughter can trick them into believing a message comes from a co-worker. However, this kind of information can be easily found on a Facebook profile.
“Spear phishing requires the hacker to spend a good amount of time on each victim.”
The downside of this kind of attack is that, unlike regular phishing, this scam requires the hacker to spend a good amount of time on each victim. Each person much be researched in depth in order to gain trust, which is going to require more effort than simply sending out thousands of copies of the exact same scam email. What this means is that the end payout needs to be significantly higher than a regular phishing attack to make up for this extra time. This is why spear phishing is so much more dangerous, as a successful attack is going to steal even more money.
Sometimes it’s an inside job
That said, many hackers don’t even want to go through the trouble of having to research intended targets. Often, the easiest way to initiate a spear phishing campaign is to simply pay someone for the information you need. In fact, an unknown entity attempted to do just this by paying an ex-Nuclear Regulatory Commission employee for information about his old co-workers.
Thankfully, the FBI was able to stop this person before they actually sold the information, according to The Washington Post. However, many other organizations have not been so lucky, which is why company officials should always block access for workers who leave.
This attack can be used to distribute malware, too
Another frightening development of spear phishing is the fact that it’s being taken beyond simply asking people for their login credentials. All of this researched information gets people to trust the sender, which can make them click a link that they might not have otherwise. In fact, security company Proofpoint has detected such an attack. Named TA530, this campaigns tricks high-ranking company officials into clicking on a link in an email that contains malware, according to Ars Technica.
What’s more, the hackers behind this scam seem to be incredibly well informed. Emails have been found to contain the victim’s name, the name of where they work, their position at that company as well as their phone number. With so much personal information within these messages, it’s easy to see why someone might fall for this attack.
Education is key, but sometimes isn’t enough
In order to mitigate the risks of an employee becoming the victim of a spear phishing campaign, administrators should begin by setting up an educational system to teach workers the dangers of these kinds of attacks. Although many people have heard of the generic Nigerian prince phishing scams, many others have no clue what spear phishing looks like. A crucial aspect of phishing prevention is making sure employees know that they should not trust an email just because it contains personal information.
That said, even the most comprehensive educational program can be ignored, and human error is always an option. This is why organizations endeavoring to keep sensitive correspondence private should look into Fax over IP. FoIP systems aren’t generally targeted by hackers. What’s more, Proofpoint also found that TA530 is targeting health care, a field that already relies on faxing in order to meet regulatory standards. Integrating a FoIP solution with cloud faxing services could help lower a facilities reliance on email, thereby decreasing the chances of a spear phishing campaign.
Enhance enterprise communication, collaboration and compliance efforts with a proven FoIP solution from FaxCore. Contact FaxCore today to learn more about their ‘Partly-Cloudy’ fax solutions.