Phishing is defined as the act of sending email that falsely claims to be from a legitimate organization with the intent on gaining information. A phishing campaign is typically generic in nature and is used to target multiple organizations across many different industries. The term "phishing" derives from the underlying metaphor, comparing the act to that of fishing. Standard phishing is like fishing with a large net. You are not targeting a specific fish, you are just throwing out your net in an attempt to catch something worthwhile.
A spear-phishing attack involves the targeting of a specific industry, company, or possibly even individual. Spear-phishing requires the attacker to have some knowledge about their target. This knowledge is gleaned from previous reconnaissance. Names and email addresses of executives can be pulled from the bank's informational website. Specific information about the bank's upcoming events can often be found via social media sites, whether it be the bank's social media site or personal social media sites of a bank employee. Once the attacker is armed with such information, they are able to craft an email specifically for their target.
Here are a few examples of spear-phishing that have recently been spotted in the wild:
- Emails that explain recent upgrades to a website that is frequently used by personnel requesting the user enter their credentials to verify the upgrade was successful. Once the user enters their credentials they are often told that everything is working correctly.
- Emails appearing to come from a bank's multifunction printers that contain a malicious attachment.
- Emails appearing to come from regulators or other familiar entities with encrypted attachments. These emails contain the encryption key in the body of the text and encourage the user to not share the key with anyone for security reasons.
- Order confirmation emails containing links to websites that contain malicious software. Often these links are masked, appearing to connect to a legitimate site but actually connecting to the malicious site.
Spear-phishing attacks can oftentimes be directed at a bank's customers. In fact, it is probably easier for an attacker to target a bank's customers. The customers' email addresses can be acquired by looking at who has a connection with the bank's social media site. Emails can be easily crafted to look like they come from the bank by using the bank's logo and personnel information pulled from the bank's informational website. To make things worse, customers do not attend periodic security awareness training like bank personnel, so they may not be aware of these types of attacks.
All of this leads to the question of how to best protect ourselves and our customers from these types of attacks. As with all mitigation strategies, a multi-layered approach needs to be taken.
- Implement proper technical restrictions and email security.
- Ensure antivirus software is up-to-date.
- Review and update spam filtering rules as new threats are discovered.
- Configure Internet content filtering to only allow access to websites required for business.
- Ensure operating system and application patches are installed in a timely fashion. The majority of these attacks target known vulnerabilities in popular software.
- Remove any unnecessary names or contact information from the bank's website.
- Technical restrictions are not 100% effective. Therefore, the most important layer to mitigating this threat is an effective security awareness program.
- Train users to avoid following links that are sent from unknown sources or any source that requests account or confidential information.
- Ensure new and existing customers are aware that the bank will never ask for online credentials via email.
- Provide basic online privacy and security awareness training materials to customers via the bank's website.