Why Targeted Email Attacks Work

Photo by Ricardo Arce on Unsplash

Targeted email attacks are an increasingly difficult problem to stop through technology alone, requiring both processes and people (via education) to effectively combat. Commonly called ‘spear phishing’ and for high profile targets ’whaling’ the core of the attack is via social engineering and elements of truth from our recent online activities.

So why are they so difficult to block? Firstly, many targeted phishing emails do not contain anything immediately malicious. Some will not have anything at all that gives the game away, building a rapport over time. Others rely on shortened hyperlinks and attachments that contain hyperlinks like an Adobe PDF file. These may reach out to fake login sites, fake banking sites or a whole host of scenarios that the criminals can think of. Well-crafted attachments may look like genuine invoices, refunds, complaints, court summons, etc.

Secondly, if the criminals have phished the credentials of a supplier or client, (or worse still, a colleague) everything can look identical to a real email. The sending domain is real, the signature is real (albeit the telephone numbers may be slightly different in case you call) resulting in nothing whatsoever for most security systems to flag and block. Even if a fake link is present, multiple web address shorteners are often stacked together to hide the true final destination. Other tricks include zip file attachments, containing a HTML file to a legitimate file sharing service like OneDrive, which then contain another link.

Thirdly, it is important to understand that the criminals can also use text messages, phone calls and social media posts and messages to create an air of authenticity to their scenarios. If you are targeted, the criminals will probably have a list of communication options for you, as well as anyone they have phished that you deal with. SMS text messages can be spoofed and will appear in the same grouping as any legitimate ones from that mobile phone number you have previously received. This allows the criminals to prime you to expect the incoming email, so be alert for any messages where you are asked or expected do something urgently, but told not to reply because they are ‘boarding a flight, going into a board meeting’ because if you reply or call, you would get through to the actual person and not the criminals.

So how do you fight back? There is no single solution, but rather a mix of good security practices.

  • Two-step authentication can help stop you getting phished for credentials, as your username and password is not enough to gain access.

While we cannot stop targeted email attacks, we can break the chain of events that makes them so effective, if you know what to look for and treat every email or message that asks you to do something that needs credentials or involves money with a certain amount of suspicion.

IT professional, blogger, author & public speaker on cloud/security issues, with over 20+ years’ corporate experience. More resources at www.booleanlogical.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store