How to Protect Yourself Against Spear Phishing Email Scams

shutterstock_100264418.jpgiCorps has seen a significant increase in a particular kind of e-mail threat recently: spear phishing.  Just last month, Main Line Health in Bryn Mawr, Pennsylvania learned of a spear phishing incident that affected the personal information of 11,000 Main Line Health employees.1 These attacks pose a significant financial burden:  the impact of spear phishing in the past 12 months is estimated to be an average of $1.6 million.2 So, as part of our ongoing commitment to cyber security, we wanted to take a moment to let you know about this threat and what you can do to protect yourself. 

What is it?
Spear phishing is a targeted scam that uses publicly available information about the recipient to attempt to steal money or personal information.  Unlike typical phishing scams that send out ‘bait’ in the millions (such as sending out mass emails or text messages), spear phishing is a specialized and targeted scam. This makes the opportunity to identify these threats much more challenging.  

Who is affected?
Typical targets are financial and HR professionals such as a CFO or HR Director.  However, anyone may be targeted as the scammer will seek to cast a wide net in order to gain access to either money or personal information.

How does it work?
A highly personalized e-mail claiming to be from a trusted source will typically ask for a wire transfer or for personal information.  Common variations include that the CEO is in trouble, needs capital to close a deal, needs to pay the IRS, or needs personal information to setup 401(k) accounts for employees (Learn more about whaling, a form of spear phishing that targets C-level executives).  There are many additional variations, however, and this is not exhaustive. The scammer’s aim is to entice urgency in the message in order to reduce the chances of having the individual look too much into the details.

How did they know my e-mail address?
This information is typically sourced directly from corporate websites, LinkedIn, and Facebook.  Check to see if your e-mail addresses are published on any of these sources.  iCorps is in no way advising that you remove the e-mail addresses, only pointing out how scammers are finding this information.

Why didn’t my spam filter catch this?
The shortest answer is because this is a scam being sent to one, or at most, a handful of individuals using a real, but cleverly disguised, e-mail domain.  Spam filters look for e-mail from bogus domains and e-mail that is being blasted to many recipients. 

What can I do?

  • Be wary of urgent e-mails requesting money, wire transfers, passwords, or any personal information.
  • Take care looking at the sender’s address and read carefully for incorrect spelling or vocabulary.
  • Follow-up with the supposed requestor by phone or IM.  Do NOT respond to the e-mail or forward the email to anyone unless you can verify it is legitimate. 
  • Educate all employees about this risk. Ensure they know what scam entitles, precautionary measures and the process of reaction if they are to unfortunately fall victim.

 Managed Security

[1] http://www.philly.com/philly/business/20160303_Main_Line_Health_employees_victims_of_identity_theft.html
[2] http://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises/