How to Avoid Spear Phishing
“Spear phishing” is a targeted email attack against a specific organization designed to get logins and passwords in order to gain access to sensitive data or even financial controls. Here is how it works. The attacker will send out fake emails to everyone in the organization masquerading as someone that the employees would typically trust asking them to send their passwords or to log into a fake site. For example, it could be an email appearing to come from your bank, asking you to login to confirm your account. The email includes a link that goes to a fake bank website designed to look exactly like your banks website.
Another example would be an email appearing to come from the IT department that says:
We just implemented some new security software. We are asking everyone to go to this website (link to bogus site) and login with their username and passwords to activate the software.
The Help Desk
The bogus website is actually created by the attackers and is designed to harvest the passwords of legitimate users. Once they have the usernames and passwords, they can now log into any systems masquerading as legitimate users and “act as that person.” This typically means sending out emails, but it could also access confidential files.
Where this really gets dangerous is when the attackers target two companies that are known to do business with each other. Let’s say Company A is known to be a client of Company B and it would not be strange for Company A to wire transfer money to Company B. The attackers will launch a spear phishing attack on Company B and let’s say they get access to one of the accountant’s email account. Now, they can send an email to Company A like this.
We just set up a new bank account for wire transfers. Please disregard any old wire transfer accounts. From now on, please wire all funds to:
Routing Number: 000000111
Account Number: 01201230
You will notice in this case, the attackers never have to breach Company A. By breaching Company B, the requests for funds and changes in bank accounts all come from a legitimate email account at Company B.
So how do I prevent getting “speared”?
You cannot prevent the attack. It is simply too easy to spoof address and make fake websites. However, you can prevent falling victim to the attack. Here are two simple tricks that serve as armor to prevent being “speared.”
Step 1: Use Two-Factor Authentication
The simplest and most effective way to prevent unauthorized access to your accounts is to use Two-Factor Authentication (2FA). Two-Factor Authentication means using an additional step or method to authenticate yourself in addition to entering your username and password. This could be a special code that you need to enter that changes periodically. The old RSA keys were an early and still used example of 2FA, but with the ubiquitous smart phone, there are now apps like Google Authenticator that do this for you. Other methods of 2FA include sending you a text, calling your cell phone, or asking you to answer a “secret question.”
ECHO recommends setting up 2FA for any systems that are public facing but allow access to internal information including files, email, and databases. Systems that should require 2FA for access include VPN, Webmail (OWA), Citrix, Remote Desktop, etc. Also, you should consider 2FA for access to any external or cloud services that could contain sensitive data such as Dropbox, Salesforce, etc.
ECHO staff are experienced in setting up 2FA solutions for our clients and we can help you armor yourself and your company against spear phishing attacks.
Step 2: Don’t click on links in email
Don’t take shortcut through the mysterious forest, take the tried and true path that you know. When you see an email with a convenient link, don’t use that link. Even if it is legitimate, it is always safer to go to the main website or even call the supposed sender to make sure everything is legitimate. If you get an email from your bank asking you to login and confirm your account, go to the main bank website and login like you normally do. If you really need to confirm your account, there will be a message waiting for you when you login.
The same can be said for unsolicited phone calls. If your bank or credit card company supposedly calls asking for personal information, ask them if you can call back on the number on your bank card or credit card. Part of spear phishing often involves calling as well as emailing to gather information.
Step 3: Communicate
One of the key assumptions that the attackers are counting on is that people don’t communicate. So the key to combating their attack is to communicate and verify. Whenever you have any doubt, make a call and ask for verification. If someone sends you an email saying important information has changed, make a call to the sender to verify it. It takes 60 seconds, but could save your company millions.
If you have any questions about how you can protect you or your company from spear phishing attacks, please contact ECHO today.