Spear-phishing is a method of stealing confidential information by sending fraudulent messages to a victim through email, SMS, social media, instant messenger, or a phone call. Since the pandemic’s outbreak, the Australian Government’s SCAMWATCH has received over 3,060 coronavirus-themed fraud reports with over $1,371,000 in reported losses.
Phishing is a type of online Scam where the scammer target a hundreds sometime thousands of individual. In contrast, Spear Phishing is highly target an individual or small number of high-value victims by pretending to know you personally. This method uses information tied to your company or you personally, from research on online social media, email addresses, links look very close to a colleague or business corporate partner, and partner logos are often use to look authentic. The goal is typically to get access to a system by gathering your credentials, or to install malware on your computer. It could be a fake automated phone call or text message pretending from your bank stating that your bank account may has breached. Or you might get a message that appears to be from your own company’s IT help desk department asking you to click on a link and change your password because of a new company policy and trick you into handling over your personal information.
Criminals are often uses a technique called ‘social engineering’ for Spear Phishing success, they investing their time, effort and money towards researching targets to learnt about names, titles, responsibility and any personal information they can find. Social engineering is a way to manipulate people into taking an action by creating very realistic ‘bait’ or messages. Online Social media provide rich information about events, conferences, and travel destinations that can be used to make an approach seem real and accurate. So consider what personal information you should share online and learn how to use social media safely. Check out the Australian Cyber Security Centre about Socialising Online Safeguard.
Examples of Spear Phishing?
In a report published in 2016, Russian-language cybercrime group known as Buhtrap has attached 13 Russian banks using malware that gain access their gateway to the central bank. According to Moscow-based Cybersecurity Company Group-IB notes, “from August 2015 to February 2016, Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubbles ($25.7 million)”.
The activities of the cybercriminal gang in question were said to have been first seen in 2014, as they first set their sights on Russian bank customers until August of 2015. During this time, it was observed that they started targeting financial institutions. The cybercrime used spear-phishing emails with attached malware-laced Word documents, the download of which enabled a backdoor that allowed the attackers to log keystrokes, spy on the victim’s screen, steal data, and download other malware …. Read full Article Click Here
Other common Spear Phishing scam examples
Here are some general scenarios example you might come across on our daily life, these all use information that could be gleaned from social media posts, especially if you are often sharing your information about where you shop, eat, bank, etc…The cybercriminal could send you an email that appear to you from the online store that you recent purchase. It might include a link to a login page where the scammer simply obtain your credentials.
Another example, the cybercriminal could send an email stating that your account has been deactivated or is about to expire and you need to click a link and provide credentials. Cases involving Apple and Netflix were recent sophisticated examples of this type of spear phishing. Another spear phishing example, the scammer could send you an email that requests donations to a religious group or charity associated with something in your personal life. When you think about how much information can be found on social media, it’s easy to see how someone could quickly earn your trust by simply stating a common interest or posing as a company you have a history with.
How can I avoid it?
There are several ways you can avoid spear phishing attacks and protect your personal information from cybercriminal. The best approach to avoiding spear phishing is through an understanding of the primary methods that cybercriminal use. Here are best practices should user consider to protect against these attacks:
The most popular phishing attack is email, as such when opening an email it is important to know the basic signs of phishing fraud
- Look at the “from” field, is the person or business’s name spelled correctly, and does the email address match the name of the sender?
- If the sender asks for your personal information, play it safe and assume it is a phishing attack.
- If you think the email may be a fraud, phone the company to verify if it is an official email.
- If you accidently click on a link, make sure that never enter your personal information into the website that display.
- If you see a suspect email has an attachment, make sure that you do not open or download it as it could be a malware.
Social media phishing attacks are becoming more common as the number of online users increases; social networking sites have an added advantage for cybercriminal, as people tend to trust each other’s posts and messages more than the way we used to be. Furthermore, many social networking sites have instant messenger capabilities; this compounds the problem, as it is harder to identify a phishing attack over instant messenger services than it would in an email, to be safe, only open links that you can corroborate with the sender.
More information about Stay Smart Online Program Visit Australian Cyber Security