We all know to sidestep the misspelled email from a temporarily insolvent Nigerian prince who needs a little help and the details of our bank account. This type of clumsy email con typically goes out to millions of accounts hoping to trap a few unsuspecting recipients. The thieves sometimes highjack an official looking corporate logo or use official-sounding language, but a closer look usually reveals clues that something is just not right, such as spelling errors or odd language. Perhaps the most obvious tip-off is that the real sender would never ask a customer for this type of sensitive information via email.
Email fraud has become bolder and more sophisticated than these efforts. From broad-based mass mailings, cyber fraud is being committed by highly sophisticated criminals who use research to launch targeted cyber attacks also known as spear phishing – against targets that might include government agencies or major corporations. To give you an idea of the audacity of these criminals, a recent attack began with an email that appeared to be a legitimate inquiry from the Internal Revenue Service. Hackers have also used spear phishing tactics to crack into data files at a leading military contractor.
What characterizes spear phishing is that it is very well camouflaged. It appears to come from a colleague or trusted source and contains a plausible request. It looks authentic and can be very difficult for recipients to detect. In general, spear phishing has several distinct targets – major corporations, government organizations or individuals. Here are some examples of them.
- Phishing messages to individuals will generally have some element of urgency – perhaps asking a recipient to handle a billing problem or an overdraft. Many of us pay our bills online, and although we would be suspicious of an email asking us to resend credit card or bank account data, we might click on a link to fix a billing mix-up involving our address. In doing so, we might be giving crooks the means to download malware that will relay passwords and other confidential information at a later date.
- Sometimes, cyber-criminals target individuals using fake Gmail login screens hoping to find work emails that will enable them to enter a corporate email system. Targeting an individual who can provide entry into a much larger and more lucrative organization is known as whaling.
- Cyber thieves will assume just about any identity to get the access they want. They create credible looking websites and communications purporting to be from respected organizations as varied as leading banks and social networks, to major government agencies including the IRS and the FBI. The goal is always the same – to rob businesses and individuals. Some of the scams pretending to be the IRS are amongst the nastiest. Timed to hit after filing deadlines, the scammers email victims – often small businesses and self-employed people – and advise them that their tax payments did not go through. Using the scare factor of the IRS name, these fraudsters have been quite successful despite the fact that the IRS never uses email to initiate contact and warns taxpayers on its website specifically about such scams.
Leaders in the security industry admit it is hard to battle this level of sophistication. The industry is always playing catch-up, trying to stanch another leak in the dam. DMARC.org (Domain-Based Message Authentication, Reporting and Conformance) – a collaborative anti-phishing effort involving leading social networks and technology and financial services companies – is working to create better authentication systems to protect email domains. In the meantime, we must stay alert and recognize that we are all potential victims no matter how technically smart and business-savvy we are.