Sophisticated Spear Phishing: Customized Phishing Attacks
Our Phishing Intelligence team noticed that sophisticated phishing attacks are more likely to occur these days targeting corporate employees and their contacts in their email addresses. This is commonly known as Spear Phishing is needed.
Basically this type of phishing attack is devised by doing a thorough research on specific targets, and then strategize on how to gain information from them.
These are preparations done by the attackers but not limited to these:
- Gather Intel from public websites.
- Hack into website’s database, then get contacts and information.
- Contact a company’s support hotline and conduct socially engineered conversations to get vital information
- The above three techniques can be combined and then criminals may purchase a domain similar to their target’s brand name.
Now that the preparations are done, socially engineered personalized emails will be crafted and sent to targets.
What is inside the email?
The attack can come in different variations, but two well-known attacks were observed:
- Message has an attachment that infects the computer with data stealing malware by disguising the email as an official business concern.
- Steal credentials by pretending/spoofing to be a high ranking official of the company.
What your employees need to know
We can all agree that employees whether high ranking or entry level must be aware and be well equipped with anti-phishing knowledge.
For those who answer phone calls; they must be trained and informed enough on their scopes and limitations when it comes to divulging information. Setting rules and standards for customer care and receptionist roles will definitely help prevent scam phone calls.
For the rest of the employees, they must watch out for suspicious emails containing subject lines that involves money or asking too much personal information of their coworkers.
Highly sophisticated spear phishing attacks would victimize their target by attracting them talking about their hobbies and interest. Socially an eager person would most likely engage with the unsuspected attacker, your coworkers need to be warned that such sophisticated attacks exist.
Email messages that redirect you to another website should be highly doubted, and instead of clicking a photo URL or a basic URL on the email message it is best to type the known official URL on the browser to avoid phishing sites.
Once your company is under attack by spear phishing, it would be best to educate your employees, however a more effective approach is to have a Phishing Solution in mind to eliminate the attackers and its media on the first sign of threat.