Warning: Spear Phishing on the Rise
Winxnet Security specialists have recently noticed an alarming increase in the frequency and sophistication of spear phishing attacks. In these attacks the perpetrators use publically available data to target the companies’ financial officers. They send an email to the officer as if from the company’s top management requesting a money transfer. In one of the latest examples the attackers went as far as registering a similarly looking domain name and setting up email services to make the attack more believable.
This increased effort and sophistication is a disturbing trend. However, there are always plenty of red flags that a well-trained and vigilant staff can spot. While this post can’t replace the results a business would see from dedicated awareness training from a security professional, here are some of the common attributes of these social engineering messages to help you identify the signs of this type of attack:
- Any time you read ‘wire money’, stop. It is very likely a scam.
- Urging to transact communication via email.
- Excuses as to why there is no personal contact possible.
- Email address. The phisherman has to get the reply message back, so the “From” or “Reply to:” field will not be a real one. Watch for spelling of the domain name, as sometimes the differences are subtle.
- SUBJECT IN ALL CAPS. The goal of the attacker is to make the message sound more urgent, and, especially if combined with a call to action, is a definite reason to doubt the message validity.
- Bad grammar and excessive use of exclamation points.
- Lack of ‘normal’ look and feel of the internal message (not a reply in a thread, no signature, etc.)
If you notice any of these red flags, consult your IT or security provider.
The best defense is user education, in this case specifically for the staff that handles finances. If any request for money or any other sensitive information comes in, the best way is to contact the sender via other ‘known good’ methods. This can be a phone call, a text message or an email to the person’s email address from your address book (not replying to the incoming message).
Before an organization can create a secure environment, it is important to understand the basic facts. Almost all security issues begin with human error. Computers don’t make mistakes, people do. Business of all sizes need to build their information security program now to help keep employees involved and educated about IT security.
If you feel as though you don’t have a strong understanding of IT Security and how to build an information security program, then it’s time for a conversation with our Managed Security Services team.