We all know to sidestep the misspelled email from a temporarily insolvent Nigerian prince who needs a little help and the details of our bank account. This type of clumsy email con typically goes out to millions of accounts hoping to trap a few unsuspecting recipients. The thieves sometimes highjack an official looking corporate logo or use official-sounding language, but a closer look usually reveals clues that something is just not right, such as spelling errors or odd language. Perhaps the most obvious tip-off is that the real sender would never ask a customer for this type of sensitive information via email.
Email fraud has become bolder and more sophisticated than these efforts. From broad-based mass mailings, cyber fraud is being committed by highly sophisticated criminals who use research to launch targeted cyber attacks also known as spear phishing – against targets that might include government agencies or major corporations. To give you an idea of the audacity of these criminals, a recent attack began with an email that appeared to be a legitimate inquiry from the Internal Revenue Service. Hackers have also used spear phishing tactics to crack into data files at a leading military contractor.
What characterizes spear phishing is that it is very well camouflaged. It appears to come from a colleague or trusted source and contains a plausible request. It looks authentic and can be very difficult for recipients to detect. In general, spear phishing has several distinct targets – major corporations, government organizations or individuals. Here are some examples of them.
Fighting Back
Leaders in the security industry admit it is hard to battle this level of sophistication. The industry is always playing catch-up, trying to stanch another leak in the dam. DMARC.org (Domain-Based Message Authentication, Reporting and Conformance) – a collaborative anti-phishing effort involving leading social networks and technology and financial services companies – is working to create better authentication systems to protect email domains. In the meantime, we must stay alert and recognize that we are all potential victims no matter how technically smart and business-savvy we are.