Spear Phishing: Why You Should Be Protecting Your Email

Email users don’t always think twice about responding to a strange email or clicking a link for more information. Unfortunately, these small steps can open a floodgate for potential disaster; getting hooked by a spear-phishing scheme. This approach has proven to be very effective, as Symantec reported that last year, spear phishing was the number one infection vector (method used to spread a virus or malicious program), used by a whopping 71% of organized groups that target users and organizations. Whether you’re a casual computer user or the owner of a small to midsize business, knowing the ins and outs of a spear phishing email, as well as preparing for the potential consequences of falling for a scam, are a must to stay protected online. This is even more imperative during high shopping periods like the holiday season when users are receiving more emails promoting deals and special offers, making it all the more tempting to open a promising email or click a link.

While regular phishing targets thousands of individuals with a generic email, spear phishing is more sophisticated and direct with its targets. The hackers behind these schemes are looking for confidential information that will fetch them a profit or mediums to spread malware across a larger network. Because of the potentially high payoff of a successful attack, hackers have to spend a lot of time researching potential victims; they are known to use social media, public profiles and even materials off of company websites to adopt a persona. Hackers will pose as a friend, family member, coworker or assume the identity of an institution like a bank or government agency. Because they target smaller groups of people and individuals, the emails are more personalized, making it all the more likely that someone will fall for their trap.

How can you identify a spear phishing email?

Breaking down an email’s look and feel can offer several clues as to whether or not it may be a spear phishing attempt. Here are a few things to look out for:

• Email addresses - Spear phishing emails sometimes use unfamiliar domain names or emails that do not match the legitimate ones for the company they are disguised as. If you’re unsure, do a quick search of the address to confirm. Additionally, be suspicious if your email is not appearing in the “To” address bar, or is inconsistent with the email you have linked to a related account
• Spelling and grammar – Emails with obvious misspellings, missing punctuation, extra spaces and more obvious errors should raise a red flag, particularly for a professional organization
• Requests for information - If a business like a bank is asking you to verify personal information via email, this should be a hint that something is wrong, as these companies adhere to privacy and compliance laws that would prevent them from doing so
• Email signatures - Sometimes, scammers will use email signatures to try to look more legitimate. If there is no branded logo or listed contact information from the company they’re representing, be wary. Alternatively, if there is information included, do a search on it. Oftentimes, you’ll find spoofed websites with fake information, information that does not match up with the company listed or sites that have called out the scam
• Links - You can hover over buttons or linked text in emails to see the full hyperlink and see if it’s something you recognize. It’s better to be safe than sorry when it comes to links, so if you’re not sure, don’t click. If you accidentally do, exit as soon as you can and cancel any downloads that might be starting, as those likely contain viruses or other malware that will quickly infect your computer and possibly your network
• Attachments - A common scam used by spear phishers is to fake an email from a client or company with an invoice attachment. If you see an invoice or other attachment that’s suspiciously labeled or related to materials you are not familiar with, do not open them. All it takes for some viruses to begin infecting a computer is a click

How can you reduce your risk of being targeted by an attack?

There are steps that individuals, as well as companies, should take to better prepare for potential spear phishing attacks.

1. Manage online presence – Limit the amount of public information listed on social media, public and company websites
2. Secure logins and passwords – Using the same password for all online accounts makes it easier for spear phishers to access more information faster. Consider a password manager to keep track of everything securely, and use multi-step verification whenever possible
3. Install security add-ons – Explore security options offered through internet browsers or a network security program for an extra layer of security that can monitor threats in real-time
4. Keep software updated – Keep software up-to-date so new security patches and fixes for old holes and bugs will be less of a problem in the future
5. Stay informed – Read up on the latest security breaches to learn about the current techniques phishers are using. There are also several websites that individuals can post on when they’ve received suspicious emails to others

Businesses have larger networks and accounts to protect, so the above steps should be part of a more comprehensive security awareness training program. Introducing this to new employees during onboarding and rolling this out to current employees will ensure that these measures are followed across the board. Additionally, companies with a developed IT department or managed service provider can send simulated spear phishing emails to employees in order to determine who is likely to respond to a potential scam and provide them with more extensive training.

What can you do if you receive a spear phishing email?

If you have to question whether or not an email is legitimate, don’t click it and don’t respond to it. Many companies have specific emails and pages dedicated to reporting cyber threats; use them to contact the related company to get confirmation on whether or not what you received was correct and to warn them about the scam that’s using their name. Also, make sure to add the phishing address to your blocked list and spam folder, delete the email or send it to the junk file and dump out whichever bin it ends up in.

To find out more about Impact’s cybersecurity and managed IT offerings, call us at 866.964.5050 or fill out our MIT form and a local Impact representative will get in touch.