Tactics and Examples of Spear-phishing Attacks

Here we have another coronavirus email. This one is an urgent message from your management with a dire warning that you will be deleted from the company database, whatever that means, if you don’t click the link. Notice they are harvesting your credentials when you click this link. This is a new sneaky tactic showing what the attacker might do with those email credentials they just harvested from you. The first step is to use some phishing scheme to obtain your email credentials as in the previous example. Once the attacker has those, they can gain access to your email account.

The next thing they do is set one or more rules in your email settings to auto forward every incoming email to them, or if they’re especially sneaky they will auto forward emails with specific keywords so you don’t become suspicious that you are suddenly not receiving any email. In the third step, they monitor your email activity looking for a financial transaction. Then they use business email compromise tactics to insert false wiring instructions to your financial institution or to you. This is especially cunning because there is no visible evidence of surveillance. And the bad actor can continue to remotely monitor your account even if you change your password, because the email rule doesn’t change.

This is a spear-phishing example received by my husband right after we had purchased a house, and even though he’s a brilliant engineer, he almost fell for this. He was actually expecting to receive closing documents from our title company. But he realized that this was not the name of our closing agent, and obviously once he looked at it more closely it was clear the email address is also suspicious. This was a pretty sophisticated spear-phishing attack, because the attacker knew we had recently purchased a house. An even more insidious form of title company fraud has recently become prevalent.

In this attack the email claims to be from your title company and directs the buyer to wire their down payment to a different account. Since wire transfers are nearly instant, many people have irretrievably lost large sums of money to this attack. This is a recent attack specifically against Bank of America customers, it was able to avoid a company’s spam filter, which will trigger on a large volume of email from the same sender, because it was only targeted to a few people within the organization. It passed through security checks that verified the sender, because it came from the domain it claimed to as its origin, a personal Yahoo account.

The email had a valid SSL certificate that had not yet been flagged as malicious. Although it was flagged quickly, it wasn’t caught before it could do its dirty work. It actually seemed more credible, because it asked victims to update their email address, enter their credentials, and answer security questions. And in doing that, it also harvested even more information than a typical phishing attack does. What can you do to avoid spear-phishing attacks? Be aware of the many red flags that I discussed. Carefully examine the address of the sender if it’s someone you think you know.

For URLs that are just slightly incorrect be suspicious of a message sent during a time you wouldn’t expect, for example, an email from a work colleague coming outside working hours. Pay attention to what the sender’s motivation is if the subject conveys urgency or threats or simply intriguing. Watch for spelling and grammar errors or word choices that would be unusual from the purported sender. Be suspicious of demanding, threatening, or urgent language. And as always, don’t click the links or attachments unless you’re expecting to receive them. In conclusion, you have learned what spear-phishing is and that everyone is at risk for spear-phishing.

We discussed many red flags and warning signs of a spear-phishing attack and went over several examples of both phishing and spear-phishing and what you can do to protect yourself and your organization from an attack. In the next video, we’ll discuss whaling, a special type of phishing that targets bigger fish. I’ll see you there.