Concord Technology Group

At Your Service - call 1-866-242-2775

Concord Township OH, 44077


Spear Phishing

News > Spear Phishing

Spear Phishing


You're probably familiar with phishing, the online scam in which con artists try to trick people into clicking links and/or sharing personal information. You may even have heard of spear phishing, which is a targeted attack. But are you aware how sophisticated these so-called "social engineering" schemes have become? Consider this example, reported by ZDNet:

After identifying the company they wanted to attack, hackers researched its employees on LinkedIn. They zeroed in on one whose profile mentioned that he'd been captain of his school's rugby team. At the school's website they found the name of the co-captain. They then carefully crafted an email that appeared to be from that old friend, and attached what the email described as a team photo. By clicking on the attachment the victim "enabled the attacker to gain control of the PC via the use of Trojan spyware, which then went unnoticed for two weeks while it spied on the network and gathered data."

This is just one example of how clever cybercriminals can be when manipulating unsuspecting people. Last spring the IRS warned about scammers posing in emails as a company's CEO and asking the HR department for all payroll information (including employees' Social Security numbers). Many companies' financial officers - including Mattel's - have been similarly duped into making large wire transfers to overseas banks. "CEO fraud," as the FBI calls it, has cost companies billions.

Not all social engineering scams involve posing as the boss. Hackers who focus on hotels have been tricking customer service reps into opening macro-enabled Word documents that supposedly contain travel plans but also deliver malware. Other companies have experienced ransomware attacks after opening an attachment that appeared to be an invoice, shipping order or some other common document. More than 90 percent of ransomware is spread this way, according to one estimate. An expert recently told Computer Weekly, "Our investigations show that phishing, particularly spear phishing, is the most prevalent threat to organizations, and is a key component in just about every cyber attack."

And it's going to get worse, as criminals employ machine-learning algorithms to determine when and where to strike, as McAfee Labs recently predicted.

The best prevention is awareness at all levels of the organization. Here are some tips.

  • If you see something, say something. Encourage everyone in your company to trust their instincts and question any email (or unsolicited "tech support phone call) that seems remotely suspicious, even if it means possibly delaying a real request. If the wording, timing or tone of an email from a known source seem off in any way, the recipient should get verification through some other channel, like a phone call. Thank people every time they do this. MasterCard holds  "phishing tourneys" in which associates earn points and prizes by identifying attempted scams.
  • Change your habits. If you can imagine one of these scams working at your company, then some of your procedures might be too lax. Use common-sense measures to ensure that money and data cannot be transferred on the basis of an email alone. (Even if you carry insurance against losses caused by data breaches, you might not be covered for social engineering attacks.)
  • Stay informed. Keep up with spear phishing trends and disseminate the information. Google News searches and Concord Technology Group's Facebook,  Twitter, and LinkedIn accounts are good places to start.

"Educate your workforce into being resistant to criminal psychological manipulation," advises one expert. "You don't have to (and indeed can't) teach users to become security experts, but teaching them a healthy dose of security skepticism and hygiene will pay dividends."