'Spear phishing' is especially hard to detect
Plenty of folks think they could never be outsmarted by a hacker; plenty of them are wrong. In fact, perhaps 97% are wrong.
Two new studies make this point, and show the devastating consequences of being wrong.
Security firm McAfee has created a tool that lets consumers test their ability to distinguish between real emails and fake “phishing” emails designed to steal their personal information. So far, consumers have failed the test — miserably.
In a report released earlier this month, McAfee said that of the 19,000 plus visitors from more than 140 countries, only 3% of test-takers identified every email correctly.
Even worse, four out of five thought at least one phishing email was real.
“The worldwide average score was 65.4%, which means test takers missed one in four phishing emails on average,” McAfee said.
Those results are dismal. It costs criminals almost nothing to send phishing emails, and this study suggests that they only need to get four of them into a potential victim’s inbox in order to pull off a caper.
That’s bad enough, but traditional phishing attacks are little more than vaguely targeted spam — a fake Bank of America email sent to a million people in the hope than 25,000 are actually Bank of America customers. The really insidious, and increasingly successful, crime is known as “spear phishing.” Rather than send out a million fake messages, spear phishers send out only a handful — or even only one — at a time. These emails are meticulously designed to trick the recipient. A common tactic: A booby-trapped email sent to an important person’s administrative assistant with a realistic-sounding urgent message, such as “Traveling: Please review this document immediately.”
Spear phishing is blamed for some of the most high-profile hack attacks ever. A report released earlier this month by the InfoSec Institute blamed spear phishing for the Target and Sony attacks, and cyberattacks operated by the Syrian Electronic Army and others. The group Citizen Lab provided evidence last year that the Islamic State in Iraq and Syria (ISIS) had used spear phishing attacks against a group attempting to document human rights abuses in an effort to unmask its members’ location.
“Thank you for your efforts to deliver a true picture of the reality of life in Raqqah,” reads a translation of part of the email, Citizen Lab claims. “We are preparing a lengthy news report on the realities of life in Raqqah. We are sharing some information with you with the hope that you will correct it in case it contains errors. …We also hope that if you happen to be on Facebook, you could provide us with the account of the person responsible for the campaign.”
A recipient who clicked on the attachment in the email was infected with software that attempted to transmit the victim’s location to the sender, Citizen Lab says.
It should be no surprise that phishing emails have also been used to attack workers at America’s critical infrastructure plants and other crucial systems.
“Spear phishing represents a serious threat for every industry, and the possibility that a group of terrorists will use this technique is concrete,’ the InfoSec report concludes.
The best defense against phishing and spear phishing is humility. Yes, you can fall for a well-crafted trick email. It only takes one moment of weakness, one click when you are distracted by something seemingly more important, to make a critical lapse in judgment that can ruin your whole day, or much worse. Your best defense: Be skeptical of every email, even those that appear to be sent by friends or co-workers. If you have any feelings of doubt, don’t click — call.
McAfee offers these additional tips:
- Keep an eye out for telltale signs. Bad grammar, bad syntax, suspicious senders and links to misspelled URL addresses are all telltale signs of phishing.
- Also watch for emails from unknown senders or ones asking you for personal information, especially if it’s in a threatening manner.
You may not always know that your information has been compromised until the damage has already been done. However, regularly checking your account statements, credit reports and credit scores for signs of fraudulent transactions and new accounts can help you spot many problems before they become even bigger.