Since January 2015, The FBI in the US estimates that, using spear phishing scams, cybercriminals have stolen around $3 billion (USD) from more than 22,000 companies worldwide. The most popular method is a type of spear phishing attack known as a Business Email Compromise (BEC) scam. The targets for these BEC scams are businesses that regularly use wire transfer payments, or work with foreign suppliers.
So why are BEC spear phishing scams so effective? They’re personalised. Cybercriminals spend a lot of time and trouble tailoring each email they send, hoping to avoid suspicion and increase the chances of them not being questioned.
How Does Spear Phishing Work?
First step is to gather personal information, and there’s various techniques used to get it. One way is by sending out a generic phishing email to all employees at a targeted business. This could contain a request for details about the business, or certain individuals who work there. Another is to send an email containing malware designed to obtain information that hackers need for the next step in their spear phishing scam.
Another popular method for information gathering is the use of social engineering. Cybercriminals will scour a targeted business’ online presence, such as checking the popular social media networks. They’re trying to get information about the business and the people they will be sending the email to. Sometimes, they even call the company to get a job title or email address.
What Do Spear Phishing Emails look Like?
Because they’re personalised, they can be hard to spot. By being aware of what elements to look for, your employees stand a better chance of not becoming a victim to a BEC scam. Keep in mind that the better cybercriminals have done their research and customised their spear phishing emails. Most of the tell-tale signs might not, at first, be obvious.
- No generic greeting: Spear phishing emails will often use the recipient’s name, or no greeting at all.
- No awkward wording: It’s extremely rare a BEC email will contain grammatical errors or spelling mistakes.
- No generic messages: Spear phishing emails are well crafted with business matters relevant to the recipient. There’s never anything common about them.
- No urgency: BEC Spear phishing emails are often professional in tone. They entice the recipient to act, instead of trying to scare them to act quickly.
But despite the lack of such tell-tale signs, some elements can suggest an email is still part of a spear phishing scam:
- Spoofed ‘From’ name: Used to trick the recipient into thinking the message came from a trusted source. Researchers at GreatHorn analysed around 500,000 spear phishing emails sent by hackers in 2016, and found that about 90% contained spoofed names in the “From” field.
- Masked URL’s: URL masking is where the actual URL for a link within an email, is not the same as the displayed link or text. For instance, the displayed text might show as a legitimate supplier’s name or web address. www.intellectit.com.au as an example. We’ve masked the actual URL and it leads to another website altogether. Cybercriminals aren’t as nice with URL masks. Theirs are designed to steal sensitive information, or install malware. Often, if you hover your mouse over URL’s, the destination will show up and you can see where the link will go.
- Unsafe attachments: Oldest trick in the book, used because people still fall for it. Opening attachments without stopping to think about what they are or who they’re from is still far too common. Back in 2016 many hackers used spear phishing attacks to encourage recipients to open malicious attachments. This would set off a ransomware attack, encrypting all the business files that the user had access to, and demanded money in return for an unlock code.
- A call for action: Spear phishing emails often encourage the recipient to do something. For example, a spear phishing email is sent to the person responsible for performing money transfers. It’s masked to look like it’s from a director. It is requesting the transfer of money to a certain account because the sender is stuck at an airport and can’t do it themselves. Or, the email is trying to trick the recipient into opening an attachment, or click URL. These are classic signs of a BEC scam.
Protecting Your Business from Spear Phishing.
To reduce the risks of your business becoming the next victim, we suggest adopting a two-tier approach.
Firstly, if you don’t have it already, implement an email security appliance or filtering system. Keep it up-to-date and patched regularly. If more of these emails are stopped from reaching you in the first place, it’s less likely you’ll become their next victim. Also ensure that potentially sensitive information (such as management or key employee email addresses) are not made publicly available.
Secondly, Educate your employees about the problem. Particularly the personalised nature of spear phishing. Use that opportunity to remind of email security basics, such as the risks around clicking email links or opening email attachments. Show them how to check for masked URLs or spoofed ‘From’ names.
If you’re still unsure of how best to protect you and your business from spear phishing attacks, let us help you. We can advise the best course of action as well as provide you with recommendations on how the best protection suited to you.