Spear phishers are zeroing in on small businesses just like yours, and they’re becoming more and more convincing.
Unlike ordinary phishing emails where an attacker sends an email to a long list of addresses purchased on the Dark Web, spear phishing is targeted. That means attackers focus on specific companies, and usually specific people within each company. They browse company websites to gather employee names, titles and contact information. They check who you’re associated with on LinkedIn and other social media sites. If they find a document on your company letterhead, or just your logo, they might use it as part of the scam, convincing someone in your company that you and the attacker have an existing business relationship.
It’s hard to stay ahead of the attackers. According to Symantec, the average email user received up to 16 malicious emails per month in 2017. Wombat Security Technologies’ 2018 State of the Phish report indicates 53% of organizations experienced an increase in spear phishing attacks in 2017.
The point of spear phishing, just like ordinary phishing, is to infect computers with malware that steals banking and credit account credentials. Although spear phishers frequently focus on owners, managers and accounting staff, anyone in a company can become a target.
A New Twist Aimed at Food-Related Businesses
Over the last year or so, scammers have hit restaurants, bars, caterers, bakeries and other food-related businesses with a sophisticated spear phishing attack combined with a phone call.
Here’s how it works. The attacker sends a spear phishing email with a malicious attachment, which is usually a Microsoft Word document, that appears to be a menu or list of requirements for an upcoming event and asks for a quote. (In another version of this attack, the email threatens the business with a lawsuit after someone got sick eating the company’s food.)
To increase the chances that you’ll open the attachment, the attacker follows up with a phone call if you haven’t responded. They might say “I need a quick quote for my event – just a ballpark estimate. I sent you an email this morning but haven’t heard back. Can you get to it this afternoon?” Foreign scammers often hire people with American accents and a professional tone to make the calls, creating a false sense of security for some businesses.
Opening the attachment causes malware (a Trojan horse) to install to the computer. The malware monitors your keystrokes over time, capturing account information, usernames and passwords, and sending them to the attacker without you ever noticing. If the computer is connected to a network, other computers and point of sale systems are at risk.
I Have to Open Attachments. It’s My Job!
These types of spear phishing attacks are a major challenge for people whose job requires them to respond to requests for information and provide quotes. How do you safely check email and attachments?
Here are some of the most effective ways to prevent these types of spear phishing attacks from being successful:
- Go with your instincts. If the email itself or the domain name (the part that follows the @ sign in the email address) looks suspicious, don’t open any attachments or click any links. If you get a follow-up call, ask the person to fax their business license, permit or registration and check out the company.
- Use two-factor verification, also called two-step authentication, to access email and other business-related accounts. See my post on that topic for more information.
- Keep your computer operating system, applications and anti-malware software up to date.
- Turn off Microsoft Office macro support by default. This step can be difficult for users who use macros a lot, but it’s a great way to avoid infection from a phishing email with an Office document that’s been designed with a malicious macro.
- Use Google Docs or another cloud service to open suspicious email attachments, from a device that doesn’t run a desktop operating system.
To help shut down spear phishers, the Federal Trade Commission (FTC) recommends forwarding suspected phishing emails to firstname.lastname@example.org. If the scammer used a legitimate business in its email, send a copy of the email to that business for their information (without the attachment).
The scammers will continue getting better, sending even more convincing messages, in a way that fools even the most skeptical email users. Stay on top of phishing news by watching this blog site and getting alerts from the FTC.