While nothing new, email phishing attacks continue to be employed by malicious groups around the world as a simple means of spreading viruses, gaining personal details, or posing as other individuals.
Typically known as spam email, most of us have been conditioned to seldom trust the content of emails that look suspect, coming from sources we’re not familiar with.
Spear-phishing looks to circumvent this hesitance to believe email content by instead posing as an individual from within the organisation, typically those in higher positions, such as heads of departments or CEOs.
Information on the organisation chosen for attack can usually be retrieved from public sources, whether it be the company website, or even LinkedIn profile. From there, company structure and likely email address format can easily be divined. Going further than this, some attackers have been known to perform attacks when CEOs are out of office, to increase the chance of creating a believable situation to be emailing, and unavailable for call.
The content of these catered emails can vary from the usual malicious software or documents, or more cautious attacks of simply requesting payment to a certain party, typically stressing urgency in an attempt to avoid questioning.
Such methods were employed recently in an attack on Turkish Financial Organisations, as reported by McAfee. Spear-phishing was utilised in order to send malicious Word Documents with hidden code that would execute upon opening and install a known virus on their system.
In attacks of this kind, having up-to-date anti-virus systems is an absolute must, and are likely how McAfee became aware of the attacks and could ensure similar cases were handled. This type of malicious document was known to the system, and should have been blocked before being able to perform any further actions.
When attackers are solely seeking money transfers however, these can be harder to detect.
For all intents and purposes, an email from your supervisor asking the accounts department to make payment of an invoice may seem legitimate, but if there’s any shred of doubt you should absolutely confirm it first-hand. Whether this be by phone call, or a fresh email to their address—which will circumvent any illegitimate reply addresses from 3rd parties.
While this method of phishing may be harder to detect by automatic email spam detection, the vigilance and training of your users will remain an effective way to stop these attacks in their tracks.
If you feel you need a review of your environment’s security systems and processes, please get in touch with the Altitude Innovations Team.