Targeted email attacks are an increasingly difficult problem to stop through technology alone, requiring both processes and people (via education) to effectively combat. Commonly called ‘spear phishing’ and for high profile targets ’whaling’ the core of the attack is via social engineering and elements of truth from our recent online activities.
So why are they so difficult to block? Firstly, many targeted phishing emails do not contain anything immediately malicious. Some will not have anything at all that gives the game away, building a rapport over time. Others rely on shortened hyperlinks and attachments that contain hyperlinks like an Adobe PDF file. These may reach out to fake login sites, fake banking sites or a whole host of scenarios that the criminals can think of. Well-crafted attachments may look like genuine invoices, refunds, complaints, court summons, etc.
Secondly, if the criminals have phished the credentials of a supplier or client, (or worse still, a colleague) everything can look identical to a real email. The sending domain is real, the signature is real (albeit the telephone numbers may be slightly different in case you call) resulting in nothing whatsoever for most security systems to flag and block. Even if a fake link is present, multiple web address shorteners are often stacked together to hide the true final destination. Other tricks include zip file attachments, containing a HTML file to a legitimate file sharing service like OneDrive, which then contain another link.
Thirdly, it is important to understand that the criminals can also use text messages, phone calls and social media posts and messages to create an air of authenticity to their scenarios. If you are targeted, the criminals will probably have a list of communication options for you, as well as anyone they have phished that you deal with. SMS text messages can be spoofed and will appear in the same grouping as any legitimate ones from that mobile phone number you have previously received. This allows the criminals to prime you to expect the incoming email, so be alert for any messages where you are asked or expected do something urgently, but told not to reply because they are ‘boarding a flight, going into a board meeting’ because if you reply or call, you would get through to the actual person and not the criminals.
So how do you fight back? There is no single solution, but rather a mix of good security practices.
- Two-step authentication can help stop you getting phished for credentials, as your username and password is not enough to gain access.
- Robust processes for any electronic payments or changes of bank details needs to be put in place, so that any necessary pre-checks are done to confirm the request is genuine.
- Educate your users about the social engineering and psychological tricks that may be employed against them, together with guidance on how information posted on social media can be utilized by the criminals to create plausible scenarios.
- Legitimate cloud file sharing and collaboration links do not need to go through web address shorteners, so treat them as suspicious. Always check shortened links via a free online service like: http://checkshorturl.com/
- Be wary of small zip file attachments, if they are small, why are they compressed? Especially any that contain a single PDF, hyperlink HTML or any file types you do not recognise.
- Password protected file attachments can be used to bypass security filters, so unless they are part of an established process, be highly suspicious.
While we cannot stop targeted email attacks, we can break the chain of events that makes them so effective, if you know what to look for and treat every email or message that asks you to do something that needs credentials or involves money with a certain amount of suspicion.