Spear phishing – an issue in user education, not IT Support

Everyone knows about email spam, and email viruses and malware. We can implement robust anti-malware/anti-virus systems to mitigate against these in most cases. However, a term you may have heard, ‘phishing’, is not so easy to mitigate.

Phishing is the fraudulent practice of sending emails pretending to be from reputable companies or individuals. The aim is to induce the recipient into revealing personal information such as passwords and credit card numbers. These can be very easy to spot, or hard to spot depending on your concentration levels at the time. What is usually a giveaway, is that these emails are generic in nature as they are sent to hundreds if not thousands of users.

There is an even more dangerous derivative of this practice called ‘spear phishing’. This is a more personalised attack which requires investigating the victim before carefully crafting the email message and can be very difficult to spot. The attacker performs their research on key personnel in the business, email syntax, even down to what the email signatures look like. Finally, the victim is generally only one person. 

A common example is the malicious attackers will impersonate a CEO or other executive level staff member using an email address very similar to the real thing, then send an email to the accounts payable department asking for an invoice to be paid urgently. They prey on the fact that employees are reluctant to question their superiors, especially when it is time sensitive. 

Another example is financial services businesses who receive emails from their 'clients' asking for funds to be transferred from one account to another. Such fraudulent transfer requests coincide with when said clients are travelling overseas. The malicious actor in these cases seems to know the movements of the client and times their requests to appear legitimate. To the person making the transfer, they seem legitimate as the client requires funds while travelling. Social media accounts that are open to the public can reveal sensitive information so beware.

These ‘invoices/transfers’ can be thousands or tens of thousands of dollars, and once a payment is made, it can be very difficult to recover.

Some of our clients have implemented stringent processes around funds transfer. They vary from client to client and circumstances for what works for your business will also vary. They may include:

• Limits on transfer amounts
• Validating such requests face to face or over the phone
• Refusing to accept requests over email

But you're here looking for a technical solution to this issues. Let's be clear – This type of scam cannot be blocked using automated technology. The emails come from a real email address just not THE real email address and are crafted in such a way as to not draw suspicion. This is why they work time and again.

Mitigating this risk is down to business process and user education. Intuitive IT runs workshops where we will give small groups of staff (i.e. finance teams) training on how to spot phishing attempts and other scams specific to their IT systems. These generally run for an hour and cover not only scam identification but also general security best practices, and give staff confidence when dealing with such requests and the emails they've come from.

In saying that, we always recommend any suspicious emails to be queried with IT support, and highly encourage defined business processes when making payments to third parties.