New “spear phishing” is ultra-sneaky
… sneaky enough to trick senior managers
Microsoft has issued a warning about “spear phishing” email campaigns finely tuned to get past defense systems.
“Even your most security-savvy users may have difficulty identifying honed spear phishing campaigns,” said Diana Kelley and Seema Kathuria, cybersecurity specialists, in a December 2019 blog entry. “Unlike traditional phishing campaigns that are blasted to a large email list in hopes that just one person will bite, advanced spear phishing campaigns are highly targeted and personal. because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email.”
This is also happening to companies in the Tulsa, according to Realize Information Technology President Jeff Woods.
“We are not only seeing an increasing number of spear phishing attacks, but the messages are getting more sophisticated and harder to detect,” Woods said.
It is up to each of us taking care of daily business to improve our threat detection. Reduce your organization’s risk by understanding what “spear phish” hackers are doing. Let’s look at Microsoft’s recommendations to better protect your organization and users.
Here are three common steps outlined in the blog.
- Hackers select a victim
- Faking believability
- Victim answers call to action
Hackers select a victim
The victims are usually staff with access to the data or money. To identify potential candidates the hackers conduct extensive research, such as:
- Reviewing corporate websites to gain insight into processes, departments, and locations.
- Following company social media accounts to understand company roles and the relationships between different people and departments.
Microsoft’s example shows attackers learn by browsing the web that—for example—the target company’s typical pattern for emails is firstname.lastname@example.org. They also browse websites, social media, and other digital sources for potential hooks.
In order to rip off victims, the hacker must first get the names of people you know and trust. He will find the names of coworkers and managers, your friends, or anyone at an organization with whom you do business.
It is normal for each of us to nurture visible relationships. This is how we have our reputation. But the hacker uses this fact of human nature to harvest your relationships.
“Targeting executives by impersonating the CEO is increasingly common—some refer to it as whale phishing. Executives have more authority and access to information and resources than the average employee.” —Microsoft security blog
A spear phishing campaign against an executive requires the following information:
- Any name from the top five executive managers who might request funds.
- Identify senior leaders with authority to approve large expenditures.
- Monitor a company’s social media posts to glean details of growth or travel.
The hacker then sends an email from Topmanager Name to Middle Manager with an urgent request for more funding for a sales convention in Scotland.
Victim answers call to action
It’s entirely reasonable for Middle Manager to quickly respond to an email from Topmanager Name.
First of all, simply looking at the name in the email From field reminds Middle Manager of how much status and authority is held by Topmanager Name. That creates a sense of urgency. Second, the sales convention in Scotland is something planned for more than two years. It’s a big deal.
“People launching these types of attacks still use fear as the primary motivator for encouraging the users to take action. Fear is a very powerful motivator,” Woods said.
Pro-active procedures block scams
Reduce the odds
First, convey the idea that security applies to everyone, including top brass. Second, short circuit the call to action process. This will take training and probably retraining.
Continuously educate users on how to detect phishing emails. Spear phishing emails do a great job of effectively impersonating a credible source; however, there are often small details that can give them away. Help users be more aware by using training tools that simulate an actual phish. Here are a few clues found in some “phish” that you can incorporate into your training:
- Anything wonky about an email address; the slightest detail.
- Urgency coupled with a request to vary from company policy. Use your imagination (the hackers are).
- Language that evokes fear or empathy or guilt.
- Inconsistent wording. Does the lingo align with company style?
Your security is more important than anyone’s ego. You may have a concern that upper management will be irritated by being required to follow company-wide security standards. Alright, try jotting down several ways to phrase your message that would make a manager glad to know you are helping to protect her/his interests. Outline the benefits!
Sounds a bit blunt, but it is true. Understanding this can save you considerable suffering and financial loss.
Encourage users to communicate potential phishing emails to the proper team. It can also be helpful to talk with peers about the phishing emails received. Talking will alert others to be on the lookout.
Reduce the damage with modern authentication. For example, multi-factor authentication (MFA) can block more than 99.9 percent of account compromise attacks.
Microsoft tools …
Deploy technology that can catch phishing emails. For instance, Office 365 offers a variety of protection against phishing attacks by default and through additional offerings such as Microsoft Advanced Threat Protection (ATP) anti-phishing. Importantly, Microsoft has both been advancing the anti-phishing capabilities of Office 365 and improving catch rates of phishing emails.
Read more useful posts in our “threat types” series!
Photo dart bullseye/target by icon0.com from Pexels