Spear Phishing Attacks: What You Can Do to Prevent Them
iCorps has seen a significant increase in a particular kind of e-mail threat recently: spear phishing. Recently, Main Line Health in Bryn Mawr, Pennsylvania, learned of a spear phishing incident that affected the personal information of 11,000 employees. These attacks pose a significant financial burden: the impact of spear phishing in the past 12 months averages $1.6 million per attack. Here's what you need to know about this threat, and how to better secure your personal information:
What Is Spear Phishing?
Spear phishing is a targeted scam that uses publicly available information about the recipient to attempt to steal money or personal information. Unlike typical phishing scams that send out ‘bait’ in the millions (such as sending out mass emails or text messages), spear phishing is a specialized and targeted scam. This makes the opportunity to identify these threats much more challenging. Typical targets are financial and HR professionals such as a CFO or HR Director. However, anyone may be targeted as the scammer will seek to cast a wide net in order to gain access to either money or personal information.
How Does It Work?
A highly personalized e-mail claiming to be from a trusted source will typically ask for a wire transfer or for personal information. Common variations include that the CEO is in trouble, needs capital to close a deal, needs to pay the IRS, or needs personal information to setup 401(k) accounts for employees (Learn more about whaling, a form of spear phishing that targets C-level executives). There are many additional variations, however, and this is not exhaustive. The scammer’s aim is to entice urgency in the message in order to reduce the chances of having the individual look too much into the details.
Scammers typically source information directly from corporate websites, LinkedIn, and Facebook. Check to see if your e-mail addresses are published on any of these sources. iCorps is in no way advising that you remove the e-mail addresses, only pointing out how scammers are finding this information.
Why Didn’t My Spam Filter Catch This?
The shortest answer is because this is a scam being sent to one, or at most, a handful of individuals using a real, but cleverly disguised, e-mail domain. Spam filters look for e-mail from bogus domains and e-mail that is being blasted to many recipients. Take these precautions, to reduce your risk of a spear-phishing attack:
- Be wary of urgent e-mails requesting money, wire transfers, passwords, or any personal information.
- Take care looking at the sender’s address and read carefully for incorrect spelling or vocabulary.
- Follow-up with the sender by phone or IM. Do NOT respond to the e-mail or forward the email to anyone unless you can verify it is legitimate.
- Educate all employees about this risk. Ensure they know what scam entitles, precautionary measures and the process of reaction if they are to unfortunately fall victim.
If your business needs assistance implementing any of the above, we can help. Reach out to us for a free consultation and give your email the enterprise protection it deserves.