One of the biggest concerns in the modern business world is the sophistication of technological fraud. One such scheme is known as “spear phishing.” This technique is a spoofing technique whereby the perpetrators target a specific organization with the sole purpose of gaining unauthorized access to the personal data, financial data, trade secrets, and so on. A large difference from normal phishing techniques is that the spoof email appears to come from someone who is within the company and in a position of authority, rather than from some separate entity (like eBay). An example of a commonly employed technique is the following: the fraudulent party finds contact information for the target company. They use this information to create a message which appears authentic, and from someone in a position of authority (such as a network administrator). The message is distributed to an employee or employees, who are asked to log into a phony page. Which requests the user name and password. Alternatively, it could be to click a link which downloads some type of malicious software such as a tracker or spyware. All it takes is for one employee to fall for this scam; the perpetrator can then pretend to be that person, using their information to gain access to whatever sensitive business information they are seeking.
One reason this technique is becoming increasingly utilized and is so successful is because the increased use of social media, email, and text messaging has made it easier to appear authentic. The reason for this is fairly straightforward: with the advent of social media, people increasingly put their likes/dislikes, occupations, degrees, and numerous other personal or identifying information on their social media sites. This gives the perpetrator an opportunity to see how these people write things, as well as to include the little personal touches which give the illusion of reality.
It is important to know from where the information is mined: the ‘about us’ page on the business website, the name of the school/class year of the employee(s) of interest, friends and contacts from social media, the business/employee(s) geographical locations, and any information about a business/employee(s) which can be found through a Google search (or in the local media, such as newspaper or on television).
Examples are the likes of someone setting up another email address similar to an account you might receive email from
firstname.lastname@example.org instead of email@example.com (missing the .)
If an employee does fall victim, and if the business is not properly protected, the spear phishing attack can do damage before anyone even notices something is wrong. The perpetrator can hold files for ransom, steal information to sell (or delete), the network can be remotely controlled (which opens up a host of problems).
The best way to get around this is to ensure employees only open attachments from known sources, never click on links, and confirm that a link is real with the legitimate sending party prior to clicking it. The key is to ‘think before the click.’