Threat Intelligence Blog

Posted October 19, 2015


By Greg Ogorek

October is National Cyber Security Awareness month (#CyberAware). In support of this campaign, we’re releasing educational blog post and infographics each week covering different cybersecurity topics. Today’s topic is spear phishing. While you might already be familiar with this topic, we invite you to share this article with friends, family, and colleagues.

Email is a wonderful method of communication. It was how Gen X’ers kept in touch before social networking sites like Facebook gained popularity, and it was once considered to be a fairly safe form of sending communications. At most, the biggest problem you had was receiving an annoying chain email that you had to pass on within 24 hours or risk having bad luck for seven years. Times were simpler before cybercriminals realized the Internet was an easy way to exploit hundreds, thousands, and eventually millions, of people at once.

But times change and so do the threats. I recently wrote a post about the different kinds of phishing scams, including puddle, spear, and whale phishing. I want to go more in depth about spear phishing in particular, as it has become a popular exploitation method for cybercriminals seeking to breach corporate networks without their knowledge.

With any message you receive, whether it is an email or a text, you have to be careful about what you click. When it comes to emails, not only do you have to be careful about links in the email message itself, but you also have to take caution about viewing the message in your email client’s preview pane. Malicious scripts, embedded coding, attached malware hiding in documents, and spoofed zip files pose an incredible threat to your personal information, and if you’re on a computer at work, to your company’s network and proprietary data as well.

Spear phishing targets specific individuals with personalized messages containing information that the victim will find relevant or legitimate. While it’s not always obvious when a message has been compromised, there are a few “classic” scams that should raise immediate red flags, and that you should definitely not click.

  • Don’t click on links in an email from a Russian beauty. Or anyone, for that matter, claiming to have found their “true love of heart” in your non-existent online profile. As fetching as you are, you’ll be lucky if you only end up with malware on your computer. At worst, you’ll get sucked into a dramatic situation that leaves your bank account empty and your email inbox filled with stolen pictures from modeling websites.
  • Don’t click on links in an “urgent” email from your bank. Or any bank. Modern phishing emails have gotten so good at mimicking legitimate emails they can even fool the experienced security professional. If you ever receive a banking email requiring immediate action, play it safe by opening your browser and directly visiting your bank’s website. You can also call your bank using the number on the back of your ATM card to confirm that the email you’ve received is legitimate. 
  • Don’t click on links in an “urgent” email from your Mother-in-Law. Or any relative claiming to need money wired to them immediately. You will most likely already know if a family member who would ask you for money is traveling abroad, so take a moment to think about the request, and who it’s coming from before taking action. If someone you know is stuck in a foreign land without the means of getting home, you should make a few calls to confirm the likelihood of their story being true before clicking on any links or even responding to the email.
  • Don’t click on links or attachments in emails from shipping companies.Or anyone claiming to have invoices or receipts of packages you’ve shipped or are waiting to receive. Instead, visit the shipping company’s website to confirm if there’s an issue with your purchase, or call the shipper directly to see if the email is real.  
  • Don’t click on links or attachments in an email that has anything to do with your taxes.The IRS does not send you private information via email. Messages that claim you owe back taxes or those offering tax-related services are a very common ploy of cybercriminals, and aren’t necessarily limited to tax season.
  • Don’t click on links to unknown online gambling (or similar) sites. Emails claiming to provide great deals or high value gift cards for little to no purchase are typically too good to be true. If it seems questionable, it probably is.

Being safe online means being smart offline. You should always think about these three things before responding to an unverified email, and potentially getting yourself caught in a scam:

  • Think before your click;
  • Ask yourself if it requires your immediate attention; and
  • Verify the request by getting in contact with the sender directly if you’re unsure the message is legitimate or not.

As cybercriminals become more aggressive in their threat tactics, users need to remain vigilant about keeping their information safe. Always be aware of what you share online, and when in doubt, don’t click.

You May Also Be Interested In…

Additional Posts

Cyveillance Weekly Phishing Report – October 19, 2015

  Phishing Report: Top Targets Week of October 11 - October 17, 2015 Author: Robert McDaniel ...

When Good Sites Go Bad: Malvertising and Watering Holes [Infographic]

By Michael Perry and Val Vask With more than three billion people using the Internet every day, ...