Spear Phishing – Practical steps to keep safe

Security
by

For many years, phishing has been the common practice of criminals gleaning information regarding an individual with the intent of criminal activities. The latest generation that refuses to go away is known as “Spear Phishing”. This scam works by sending an email to an individual which appears to come from and individual or business that you know, but it isn’t. It is from a criminal who wants to get your money, credit card, bank account details, passwords or any other information which will aide their criminal activity.

Businesses are seeing a rise in this type of email as the criminals are seeing them as a “soft target” due to the nature in which businesses operate. Lets take a scenario; the finance manager receives an email from the Managing Director requesting that a payment be made to a supplier immediately as they are trying to get things ordered. The finance manager can see that the email is from the MD, although the email may not be written how they are used to, they have no reason to believe it is not the MD. The finance manager replies to the email asking who, how much and the account details. The MD replies back with the relevant details, although not a supplier they recognise, again the email is from the MD so no reason to doubt things and makes the payment. A month later the finance manager is quizzed regarding the payment and explains that the MD requested it be paid and shows the emails. It then comes to light the emails never came from the MD at all and the money is lost as there was not fraudulent activity on the bank account so the bank is not interested.

So how did this happen; was the MD’s emails hacked? Did they steal his phone/tablet/laptop? In a word, No. The nature of email is such that, with the right software, anyone can send an email from any email address without having any access to the actual account. So how was the finance manager able to reply without the MD seeing the emails at all? Well, within the same software you can change the settings in the email so when it is replied to, the address it is sent to is different from the originating email address. This typically goes unnoticed by the victim as they have no reason to doubt they are talking to the right person.

Since all of this looks to be legitimate on the face of it how can businesses protect themselves? There are some simple steps which will help such as using SPF on your domain name. This technology employs a system whereby a DNS record declares what servers can and cannot send an email for a particular email domain. If you are not currently using SPF then you can use this generator to create the SPF record for you to add to your domain. If you are using a system which checks SPF recorder then it will either flag up such and email as suspicious or it will block it. If you are unsure how to do this then contact your hosting company or contact our support team for assistance. There are also software solutions which can also help to identify this type of email but many of these are costly and no one system is 100% effective.

Ultimately our advice is that any business receiving this type of “internal” email should contact the person directly, by phone on a known number, to verify the payment is legitimate request. While it is an inconvenience, you don’t want to end up like one company who lost $46.7 million in such a fraud.

As always, if you’d like to have a chat then feel free to give us a call to discuss it further.

Share

Rob has worked in the IT industry for over 20 years. Having ran a ISP back in the late 90's gave him experience of early internet services and the progression to where they are today. Today he focuses on delivering cost effective IT services to clients without the need for technical jargon. Outside of work, he can often be found cycling around Derbyshire or spending time with his family.