Targeted email attacks are an increasingly difficult problem to stop through technology alone, requiring both processes and people (via education) to effectively combat. Commonly called ‘spear phishing’ and for high profile targets ’whaling’ the core of the attack is via social engineering and elements of truth from our recent online activities.
So why are they so difficult to block? Firstly, many targeted phishing emails do not contain anything immediately malicious. Some won’t have anything at all that gives the game away, building a rapport over time. Others rely on shortened hyperlinks and attachments that contain hyperlinks like a Adobe® PDF file. These may reach out to fake login sites, fake banking sites or a whole host of scenarios that the criminals can think of. Well crafted attachments may look like genuine invoices, complaints, court summons, etc.
Secondly, if the criminals have phished the credentials of a supplier or client, everything can look identical to a real email. The sending domain is real, the signature is real (albeit the telephone numbers may be slightly different in case you call) resulting in nothing whatsoever for most security systems to flag and block. Even if a fake link is present, multiple web address shorteners are often stacked together to hide the true final destination. The criminals can also use text messages, phone calls and social media to create an air of authenticity to their scenarios. If you are targeted, the criminals will probably have a list of communication options for you, as well as anyone they have phished that you deal with.
So how do you fight back? Two-step authentication can help stop you getting phished for credentials, as your username and password is not enough to gain access. Next, robust processes for any electronic payments or changes of bank details needs to be put in place, so that any necessary pre-checks are done to confirm the request is genuine. Educate your users about the social engineering and psychological tricks that may be employed against them, together with guidance on how information posted on social media can be utilised by the criminals to create plausible scenarios. Also, legitimate cloud file sharing and collaboration links do not need to go through web address shorteners, so treat them as suspicious.
Read more practical, no-nonsense advice in Nick Ioannou’s book, A Practical Guide to Cyber Security for Small Businesses.
About the Author:
Nick Ioannou is an IT professional, blogger, author and public speaker on cloud and security issues, with over 20 years’ corporate experience, including 15 years using cloud/hosted software as a service (SaaS) systems.
He started blogging in 2012 on free IT resources (http://nick-ioannou.com) currently with over 400+ posts. Author of Internet Security Fundamentals, contributing author of two books Managing Cybersecurity Risk and the recently published Conquer The Web.
More free security advice and resources and information on how to contact Nick can be found at www.booleanlogical.com