Spear phishing is not something you do to catch fish

Cyber criminals use a number of techniques to fool us into doing something we should never do in response to an email, like opening an attachment or clicking on a link, which can then be used to get our credentials, gain access to the information on our computers, plant malware, or do other nefarious things. Two such techniques are phishing and spear phishing. If you learn to recognize them, you’ll go a long way towards practicing good cyber hygiene.

What is phishing and spear phishing?

Phishing is the act of sending a mass email to a non-specific group of people that appears to be from a legitimate or trusted source. These emails are written and formatted in a way that the attacker hopes will fool the receiver in giving up personally or financially sensitive information such as email login credentials or bank account information. Phishing attacks are relatively easy to spot if you know what you’re looking for.

Spear phishing takes phishing to a new level. These emails specifically target individuals or groups based on their personal characteristics, interests or lines of work. They are extremely effective because recipients believe they’re real—they appear credible (they contain company logos or trademarks), the subject line is relevant to them, and the message is pertinent. Because they look so genuine they’re much harder to spot and they trick more people.

So, how can you tell a phishing email from a spear phishing email? Let’s look at an example.

A general phish might be when an attacker impersonates a respected airline and sends a mass email that appears to be a receipt for a fee paid to change your seat on a flight you didn’t book. People get tricked into clicking on links contained in the email because they are trying to figure out what’s going on.

If this were a spear phishing attack, the email would contain additional personal information that the attacker would gather from social media sites. Perhaps you’ve recently taken a trip with that airline. The attacker would be able to address you by your name and reference that flight. Or the attacker would know that you booked the flight with a travel agency and impersonates the agency. In both cases the attacker has gained your trust by leveraging information typically only shared with family or friends. This makes it harder to recognize the email as malicious. The attacker could then leverage this trust by requesting from you personally and financially sensitive information.

How to not fall victim to spear phishing emails

  • Ensure you know the sender of the email. Be cautious if the sender is unknown to you. Even if you’re personally addressed, it may be a spear phishing attack.
  • Ensure the sender’s email address has a valid username and domain name. An example of a suspicious email address from a John Doe would be <%nklo17er@gkmail.com>. If the username and domain name don’t appear valid, even if other parts of the email seem to be legitimate, it may be a spear phishing attack.
  • Ensure the tone of the email is consistent with the sender, i.e. if the tone is more formal than the sender generally is, treat the email as suspicious, even if you know the sender.
  • Do not open any email attachments with the “.exe” extension.  A file with an “.exe.” extension is a Windows program and attackers want you to open up the attachment so they can install malware on your computer.  Delete any emails with attachments that have the “.exe” extension.
  • Not expecting information you’ve received from this sender? If it comes out of the blue, treat it as suspicious. Pick up the phone and call the sender to confirm its legitimacy, and treat the email as a spear phishing attack until you know otherwise.

Looking for help?

If you think you’ve clicked or downloaded something questionable, immediately inform the Service Desk. Security is everybody’s responsibility. For further information, concerns, or to provide comments contact IMITSSecurity@phsa.ca.

Leave a Reply