Spear Phishing --- A Bullet with Your Name on It
Gangsters and their hit-men have a sacred custom. When they have a special target to eliminate, they sometimes put the victim’s name right on the bullet. The cold-blooded act has now become personal as well.
Hackers do the same thing in targeting victims. Many of us no doubt already have heard of phishing, those fake emails we get that try to trick us into giving up crucial information, or fool us into downloading some nasty malware. The general approach to email phishing is called ‘spray and pray’. This means sending out a large amount of emails and hoping that just a few hit a target and yield results.
If email phishing is like spraying buckshot, then spear phishing would be like someone using a high-powered rifle with a laser scope. Hackers will take their time, like a seasoned assassin, gathering intel about your company, departments, and their key personnel. They may be inside or outside your network watching daily activity, learning who does what, and what the regular routines are. The amount of ‘dwell time’ during which they can sit silently and undetected inside could be weeks, or even months. They are in no hurry for quick results like email phishing. They will take as much time as they need to launch a very well researched attack.
They will learn for example, who the owner or CEO is, or who handles the money, or who executes payments, or who has the spending power, and so on. From gaining access and reading daily emails they can learn all the mannerisms, nicknames, and other unique phrases that employees may use while communicating everyday with each other. By absorbing this information, they are preparing to blend in, so they can impersonate important decision makers.
Regular fishing is passive, it involves someone sitting with a hook in the water and hoping a fish takes the bait. Spear fishing is aggressive, smart, and pro-active. It involves directly spearing a fish as it swims by.
When ready, they will take aim, and then they will send a well-crafted spear phish email to the appropriate employee. A frequently used strategy is that the accounts payable department, or CFO will receive an email appearing to be from the CEO instructing payment to a certain NEW account. It all seems to be routine and normal, and then the payment is made, and the money is lost. And then the intruder leaves, wiping his trail away.
How do we prevent this?
There are some common sense safeguards we can use to prevent such attacks:
1- Institute verbal confirmation on all payment instructions above a determined amount.
Getting an email should not be enough authorization to release a payment. It should be confirmed verbally in person, or by phone. When by phone there should also be a verbal password used by the sender of the instructions, since deepfake technology can now imitate voice calls.
2- Use email encryption on all email involving payment instruction or other highly sensitive content.
Using encryption that only certain key people have at your firm is another way to safeguard email content from being read by a third party. This will prevent any intruder from gathering data silently in the first place. Changing encryption keys periodically will keep things more secure as well.
3- Change email passwords regularly to prevent intrusion and access to the network and email accounts.
All employees should change passwords periodically to stop intrusion into your network. Using longer passwords with symbols and numbers included will toughen them from being cracked. Another good practice is to use a pass phrase. These longer passwords can be a sentence or phrase that is easy for the user to remember, and only makes sense to them. This will also make it very hard to decipher. An example would be using the sentence ‘my cat wears blue shoes on Monday’ which would be ‘mycatwearsblueshoesonmonday’. Adding numbers and symbols will make it more bullet-proof.
Deleting all old and unused email accounts is also recommended to close these doors to intruders.
4- Do not publish full names of key personnel and their email address on your website.
Posting full names, pictures, emails, and phone numbers of key people on your website is not a good idea. Publicly available info is easy to use when coupled with any social media info to figure out passwords and other sensitive data that can be used to compromise your company. Don’t overshare your personal information or current location on social media as well.
5- Create new account procedures to verify and confirm all new accounts that are to receive payments.
Any new accounts that are set up to receive funds from your firm must go through a very detailed setup process involving all people normally involved with any transaction. Sudden and surprise new accounts must never be honored until clearing an internal vetting process. Having an approved payee list with protocols is a good procedure to use.
6- Have employees undergo security awareness training that involves how to recognize phishing and spear phishing emails.
Most important of all teach your people to recognize phishing emails. Train them to change passwords, lock down unattended workstations, and to practice general physical security as well. Realize also that attacks can come from inside as well. Adopting internal security procedures is vital to prevent employees from gaining information they should not have. This means more than having a security culture, but instilling security habits and attitudes to prevent intrusion and attack from happening in the first place.
Dark Web scanning, penetration testing, and vulnerability scanning done by an outside third party will give impartial results. Having a set of fresh eyes from outside on your infrastructure may uncover issues that have been left unseen during day-to-day routines. Hopefully armed with awareness, you will be able to protect your organization from spear phishing, and be able to dodge a bullet.
Cybersecurity & Technology Consultant
INVAR Technologies Inc