Spear Phishing

[Guest Sundancefisher]

Spear-Phishing?

We have likely all heard of phishing by now. It is a phenomenon that is not new to those that use email and it does not seem to be going away, if anything, phishing emails are getting harder to detect. Like Phishing, Spear Phishing is an email spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. A Spear Phishing message looks like it comes from your employer or a colleague (or is working on behalf of your company as a “third-party company”) who might send IT communications and could include requests for user names or passwords. In fact, the email sender information has been spoofed in an attempt to gain access to a company’s entire computer system.

The sender could purport to be HR, Legal, an Executive, the IT department, etc. This is the time of year too, when phishing emails pretending to be from Tax authorities will be “out in the wild”!

 

At least one prson at our shop has received the following email. This email has not been sponsored by HR but there could be some misconceptions as to the source.

________________________________________

Hays is conducting a Compensation, Benefits, Recruitment and Retention Survey. The results are included in our Annual Salary Guides, providing a complete picture of the current employment market.

 

Please take a few moments to complete this survey. Your answers are kept anonymous, so feel complete confidence in answering the questions candidly.

 

Here is a link to the survey: Http://____.co m

 

This link is uniquely tied to this survey and your email address. Please do not forward this message.

 

All invited participants to this survey will receive a copy of their preferred industry Salary Guide, expected in Q1 2010.

 

Please note: If you do not wish to receive further emails from us, please click the link below, and you will be automatically removed from our mailing list.

 

Http://____.co m

 

If you were the recipient of a similar message, please ignore it and delete the email as it has not been initiated by our company.

________________________________________

Avoid the Spear

There are some useful methods one can use with any phishing attack, but in some ways, defending yourself is easier with Spear Phishing.

Here are five steps to avoid this type of fraud.

 

1. Think First, Click Later

Doubt is a necessary precaution in this case, if there is the least chance that the email is from a source other than what it purports, do not click the link.

2. Cut and Paste

A better practice is to mouse over a link, right click and copy the hyperlink to be pasted into the address bar of your browser.

3. Verify Legitimacy

We mentioned that Spear Phishing can be easier to detect; that is because you most likely have the ability to verify the legitimacy of the email through a phone call or a visit. Take the time needed to verify the sender.

4. Consider Motive

A simple step is to consider why this person would want our credentials or information in the first place? What could they do with it? An employee, be it a manager or some other department, should never make a request for personal or privileged information in an unsolicited email.

5. Report It

Report any email that you suspect might be a spear phishing campaign. Please send a copy to Information Security immediately.

 

 

 

THEREFORE SPREAD THE WORD AND STOP THE ATTACKS.

[headscan]

Number 2 in the list for avoiding "spear phishing" is incorrect. Right clicking the link, then copying and pasting it into the browser's address bar will still send you to the phishing website.

[Guest Sundancefisher]

Number 2 in the list for avoiding "spear phishing" is incorrect. Right clicking the link, then copying and pasting it into the browser's address bar will still send you to the phishing website.

 

Good point...

[Guest Sundancefisher]

 

Good point...

 

I copied this from the company warning email.

 

I wonder if what they are getting at is that the link can have anything for a description but maybe on the browser it will give the actual link maybe? Whatcha think?

 

[rehsifylf]

Good point...

 

Actually - the advice is correct. What they are trying to do here is make sure that you don't click on the link in the email message because, although the link might display as www.yourcompany.human resources.company survey in your email, the url address embedded in the link might actually be www.identifytheft.nowyouarescrewed.com - it is easy to edit links to display (right click on the link, Edit hyperlink, and change the Text to display to whatever you want). If you copy the displayed text and paste it in your browser it will try to go to the displayed url - which probably does not exist or may be your legitimate compnay website.

 

The Phishing effort is to try to make you think it is legit because the url has your company web address in it. If you just hit the link, it may come up with a webpage that looks exactly like your company webpages, and if you don't check the address bar (or some people don't even show the address bar) you'll think you're on your company website and won't notice you're over at nowyouarescrewed.com.

[headscan]

It's just bad advice, particularly the way it's worded. If I send you email with this in it: www.yourbank.com it looks like a link to yourbank.com but it's actually a link to evilphishingsite.com. If you right click the link, select copy link, then paste it into your address bar you get the same result as if you just clicked on the link. In that case you're better off just manually typing the address into your address bar - in this case www.yourbank.com. More importantly, most banks and other companies have thankfully gotten out of the habit of sending links in email. If in doubt, the best thing to do is phone the company or your bank to find out if the email is legit (just don't use any phone numbers included in the email). Better still, just don't click any links you get in email.