Spear Phishing

Chris Cassell, Technical Team

Category:

  • Security Blog

“Hello friend!

I am being a prince and investing a great deal of money in the UK banks a few years back. But now they do not like my country no longer and they want let me remove my money. I need helpful UK person to retrieve $30,000,000 from my bank. Of course for help in this matter I let you keep 10% of this money as a gift for your great assistance please send you details to…”

You‘re not buying this, are you?

No? Good. You‘re one of the many millions of people who can spot a spam e-mail immediately. You know not to respond because it's just too good to be true. It's poorly written, badly spelled and the grammar is offensive to the eyes.

What you may not know is that this is a deliberate tactic. Attackers craft these e-mails intentionally poorly in order to only get replies from a certain percentage of the population, those not familiar with technology, for example. This ensures that the people that respond are likely to be vulnerable and fooled by further dubious calls to action.

“Susan,

This is Chris from IT.

We‘ve noticed that your computer is one of the ones running slower than it should be in the company and we‘re sending you the fix for it. It's just a little program attached to this e-mail; it‘ll show up as an icon at the bottom of the page. It's called fix.exe and if you can just click on it and if it asks you to allow it to run just click yes for me please; hopefully we can get your machine running faster and annoying you less.

Regards,

Chris”

How about now? Your name is Susan and you‘ve heard of Chris from IT.

The sending e-mail address matches your company e-mail address structure.

You‘re computer is running slow, right? (Everyone thinks their computer is running slow).

So it's a reasonable request. It all looks legitimate, hence you‘re going to click that fix.exe and say yes and install that Malware for that nice scammer, aren‘t you?

You‘ve just been Spear Phished.

Spear Phishing is the new wave of attacks perpetrated via e-mail. Rather than a poorly worded missive designed to attract the unwary, these e-mails are well written, well formed and personal. It comes to you in the name of your IT staff, your CEO, your boss. It spoofs their e-mail and it knows your name. It offers you a good reason for sending sensitive information or opening an attachment because it comes from the right person to be asking you to do that.

If you‘d have done what the above e-mail would have asked don‘t worry, you‘re not a bad person, you‘re not stupid. It is worth noting that although executive-level staff are more likely to be targeted, thanks to their more well known persona and greater likelihood of higher level access to company resources, everyone is vulnerable to this kind of attack.

People in security companies fall for these, people in government organisations fall for these. It's easy to do. Up until now you were just unaware of the possibilities. So now you are. Welcome to a more secure future.

Here are some tips to help avoid this problem:

  • Only open an attachment, even from someone you know – ie a colleague or client – if you have specifically requested that they send one or if you are expecting something from them.
  • Be very, very circumspect when an e-mail is sent to your Junk E-mail folder. Even if it looks legitimate, there's a good reason it was sent to the Junk E-mail folder.
  • If in doubt about the legitimacy of an e-mail or the identity of a colleague or client, ask them. Ask them openly about what it is they have, or are trying, to send you before opening it.
  • If an e-mail is very poorly worded or contains obvious language-based mistakes, this should raise alarm bells and you should query the sender as to their identity.
  • If in any doubt at all, bounce the words off a colleague or better yet IT staff or a suitably technical friend. It is never, ever stupid to ask.
  • If you open something believing it's all legitimate and you then come to realise it was not, tell someone immediately. Action Fraud if it's personal, your IT staff if its work based. There is no shame in falling for these things, they send millions a day, someone is going to fall for it. Minimise the damage.
  • Oh and by the way, if you said yes earlier, just send me a blank signed cheque to the below address.

Leave a comment




Comments (0)

Latest News

  • ​Is there room for new MSSPs to enter the cyber security market?

    Summary of a recent debate at VSEC 18 discussing the MSSP market ...Read more

    11/07/2017

  • Device Identity Management

    Device identity management critical for secure digital transformation ...Read more

    11/07/2017

  • Securing the Security Operations Centre

    Blog exploring why the Security Operations Centre (SOC) itself must be protected adequately ...Read more

    11/07/2017