Spear Phishing, not just an Outdoor Sport Anymore
A far more alarming type of phishing called “spear phishing” has emerged.
In this instance, a malicious actor does their homework. They research your organization, identify key targets like your management team, and begin to build a profile on them. They use publicly available information from social media, LinkedIn, and other online resources to craft messages that appear to be “legitimate”.
These messages will appear far more realistic than a generic phishing attacks because of the inclusion of information which you trust or know to be accurate.
These attackers use this data to try and gain access to your organization through many means, including impersonating you, a colleague, vendor, or client. They can even spoof email addresses and make it appear a message has come from you, a colleague, vendor, or client.
Phishing can come from a variety of methods but is usually in the form of email, however, in the case of spear phishing it’s not unheard of for someone to send a fax where they impersonate a trusted source including the phone number where the fax appears to have originated.
credit: NASA Federal Credit Union
Because these attacks are more sophisticated, those in senior leadership positions should exercise diligence especially when managing requests for financial transactions. If it looks even slightly usual, phone the person who sent the request to confirm its legitimate.
Phishers are also generally aggressive, they may send several messages asking if you have completed the transaction or send angry emails to try and coerce you into believing the request is legitimate and that you are holding up business by delaying the request.
Spear Phishers usually try to get you to open an attachment or click a link which takes you to a website you would normally trust like Microsoft Office Online, Dropbox, or your bank. Then the site asks you to enter your credentials to access the document or other file they have sent. Doing so will provide your information to the attacker and they can then takeover your accounts.
While there is no silver bullet to prevent phishing attacks, vigilance, user training and awareness are key to limiting the risk.
If you received a suspicious message and are a Nucleus client, give us a call and we’ll be glad to help you determine if the communication is legitimate.