Spearphishing, not as fun as you think it is!
September 18, 2018
Spear phishing is targeted email intended to focus on specific groups and use the vernacular, messages, and hectic pace of work of those groups to steal log on information, money, and confidential business information. In spear phishing, the scammers craft an email that is directly targeted to the audience they want to exploit.
The audience might be an office responsible for payment, purchase orders, banking, or payroll. The audience may be company or university leadership or the 2nd level of an organization. In both cases, the scammers are typically pretending to be the leader of the organization or another person that normally expects and elicits very quick responses. The scammer will ask for funds transfers to an external bank account, payment to a vendor or associate of the university, or purchase of easily negotiable devices that can be cashed in quickly. The scammer will tend to make the email short and to the point, and emulate the expected style of the organization’s leader. The email may say, “I need you to transfer funds. Email me for details.”
Given that we often get legitimate emails from our bosses and colleagues that look and read just like the examples above, how are we to protect ourselves? There are several possibilities that will help. For any process that involves a request for funds, purchases, funds transfers, add a verification or validation step in the process. For example, have a list of authorized requestors and their contact information. Instead of replying to the email that was sent, open another email with the authorized requestors’ names and send them a validation request. It can be as simple as, “Did you make this request for a funds transfer?” Additionally, you may institute a process that requires phone or personal confirmation from the requester or their assistant.
If you have any questions or would like to discuss any of the issues around phishing or other security issues, please call your friendly neighborhood security people at 942-2333. You can also email us at firstname.lastname@example.org. We also have a nice web site (thank you web team!) at http://angelo.edu/security.