Most people have heard of attacks where some faraway prince promises millions of dollars in exchange for the victim's banking information. These phishing scams have relied on the numbers game in the past, sending out thousands of emails in the hopes that at least one person will fall for it. However, it would appear that hackers have begun to leverage a more targeted approach with spear phishing.
This kind of scheme is where the cyber criminal learns as much as she can about her target, researching his name, email address and even his place of employment. Once the hacker has all this information, she sends an email that looks like it's from someone in the victim's life. Perhaps the message is meant to resemble correspondence from this person's boss, or perhaps it's from an employee from the hospital he visited a few weeks ago. Regardless, the criminal uses this research to convince the victim that she is who she says she is, prompting the target to give up privileged data.
With the amount of personal information the average person puts online, beginning a spear phishing campaign is becoming easier every day. What's more, a successful attack can allow a hacker the ability to gain even more data about a person, thereby allowing them to potentially ensnare other people in this victim's life.
No sector is safe
The problem with this kind of attack is that it can come from anywhere, at any time. Tidewater Community College in Norfolk, Virginia, learned this the hard way recently when a cyber criminal directed a spear phishing campaign at the school. The problem was discovered when the IRS told multiple workers at the school that their tax return had already been claimed by another party who used their personal information.
The problem with the current tax return filing system is that all a cyber criminal needs to file a fraudulent claim is a person's Social Security number. This was the case with TCC, where an employee gave away personal information to an email account that seemed to have originated from within the school. As it turns out, the account was owned by a hacker. TCC believes that 3,000 current and former employees might have been compromised.
Although this was certainly a large breach of information, it pales in comparison to the attack that befell Sprouts Farmers Market. A worker involved in payroll received an email from an account that appeared to be controlled by an executive within the company. This message asked the worker to send over 2015 W-2 documents, which contain quite a lot of information pertaining to employee finances.
Sadly, the payroll worker fell for this, which resulted in 21,000 employees having their tax information leaked. While this is obviously a major problem for all the people who now must live in fear of identity theft, becoming the victim of such an attack can be hard to avoid. Even Snapchat, a company quite literally built on a technological platform, has also fallen victim to spear phishing.
The fact that such a business can be hit by this type of attack shows just how dangerous spear phishing can be. All it takes is the hacker finding enough information about the right target for this campaign to bypass even the most advanced cyber security systems in the world.
Organizations just aren't ready
The reason that so many organizations from different sectors have been affected by this kind of attack is that current cyber security measures can't do anything to stop human error. In fact, even heads of state have fallen victim to spear phishing. Graham Templeton from ExtremeTech reported that the NSA most likely used this technique in order to spy on Chancellor of Germany Angela Merkel.
This naivety about these kinds of scams is prominent throughout the business world. A survey conducted by Cloudmark and referenced by Templeton found that 97 percent of organizations had employees fail to recognize a phishing campaign. Thankfully, these emails were sent out as a test, but such a high rate of failure shows that quite a lot of people simply don't know about phishing.
That said, there's a lot more than pride on the line here. The Cloudmark study also found that the average financial loss associated with a phishing attack was roughly $1.6 million. That's a substantial amount of money to lose to a simple mistake, especially one that can't be prevented by any current cyber security software.
Don't be baited by phishing
What all of this equates to is that employers need to take responsibility for the actions of their employees. If staff members working under the Chancellor of Germany can fall for this kind of scam, anyone can. As such, administrators need to focus on employee education.
Regardless of industry or department, workers need to know what is expected of them in terms of personal cyber security. This means they should be double and triple checking the email addresses that they're sending private company data to, as well as talking with a supervisor if an unknown account is requesting information it otherwise wouldn't need.
What's more, employees should also be careful about what kind of personal data they post online. This doesn't mean workers shouldn't discuss their families on social media sites. Rather, they should realize that just because an email's sender knows their daughter's name doesn't mean the message is from a legitimate source. It's important to remember just how much a hacker can learn about a target through social media and other online information, and be vigilant in these regards.