By Michael Neuman, VP of Information Security, Backstop Solutions Group
The holiday season is wonderful and stressful, happy and hectic, all at the same time. With everyone’s adrenaline pumping to get year-end activities finalized at work and preparations completed at home, the stage is set for one more (unwelcome) holiday surprise … extreme spear phishing.
Spear phishing hackers target specific individuals with carefully crafted emails in an attempt to defraud monies, gain system access, or introduce malware or ransomware. Hackers know that vulnerability is high during the holidays because people are feeling pressure from every side. Additionally, executives may be absent from the office, making them less accessible to approve decisions or transactions. For these reasons, the U.S. Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security, has issued warnings for the past three years to stay alert for phishing and malware campaigns during the holidays.
Extreme Spear Phishing Techniques
Spear phishing is getting ultra-sophisticated. Consider these techniques hackers are currently using:
- The Portrait Ploy. Emails can be made to look legitimate by including not just an accurate signature block, but even a picture of the supposed sender pulled from Microsoft Active Directory or Outlook. With an executive’s or manager’s portrait onscreen, recipients are more likely to respond without questioning the email’s origin.
- The Forwarding Fake-out. The hacker will send an email to an executive who is traveling. In many cases, the harried executive will simply forward the email on with a quick “Please take care of this for me” note. The recipient sees the note from the executive and handles the matter without thinking to verify where the original email came from.
- The Spelling Scam. When you right-click on an email address, it will tell you where the email came from. An email supposedly from a company executive but sporting a Yahoo or Gmail address would raise an immediate red flag. So hackers have upped the ante. Now, the spear phishing email address might show a domain name that is close to the company’s real domain name. For example, instead of email@example.com, it might read firstname.lastname@example.org. People don’t often notice a one-letter difference because they see what they expect to see.
- The Travel Trap. Here, hackers take advantage of executives who are traveling for business. They send an email that looks like a legitimate travel invoice, and request prompt payment. All too often, the fraudulent invoice is paid without question.
- The Rush Ruse. Hackers count on the fact that employees are rushing to close out year-end books, get in the last sales of the quarter, pay outstanding invoices, etc. So they send out emails marked “ASAP” to already overflowing inboxes, knowing that if an email is tagged with urgency, most employees will respond to it automatically.
- The Code Caper. People tend to immediately open documents or click on links that appear to come from a legitimate source. Hackers leverage this in spear phishing by hiding malware or ransomware code in the documents or on spoofed websites. That way, even if the recipient subsequently realizes that the request is not valid, the damage has already been done.
Avoiding the Barbs of Extreme Spear Phishing
To avoid the barbs of extreme spear phishing, be sure to alert your employees – from the C-suite on down – to do the following every day, but especially around the holidays:
- Hone your spidey sense. Beware of emails that are overly vague around billing, shipping, payment, or activity requests. Also be suspicious of requests marked “haste,” “rush,” or “urgent.”
- Take a REALLY good look at email addresses. Right-click on email addresses and read them carefully to determine legitimacy.
- Verify suspect emails out of band. If you get a suspicious email request, don’t reply to it. Instead, pick up the phone and call the apparent sender to verify the request, or send a fresh email directly to the sender.
- Think before you click. Pull back on that trigger finger! Check the email address and consider the request before opening any form of attachment or clicking on any link.
Hackers never take holidays, unfortunately, so you need to be on the alert to ensure that your company is not compromised during this festive time of year. Remember, a happy holiday season is one where there are only good surprises!