I was recently interviewed for a BBC radio programme on social engineering and, in particular, spear phishing emails. The aim of the show was to explore how common spear phishing emails are, how easy it is to be taken in by them and what people can do to better-protect themselves.
Spear phishing has risen phenomenally – in scale and sophistication – in the last year or so, and will continue to do so. Criminal gangs are increasingly using spear phishing as a tool to make money because it is relatively easy for them, requires little technical ability and can be very lucrative for very little effort.
The targets: organisations and individuals
CEO Fraud is one form of spear phishing which has become a much greater problem in the last year or so. Companies of all sizes, in all sectors and in all countries are being targeted. In the last few months alone I’ve heard from and worked with big corporations, SMEs and charities (very sad face) in the UK and across Europe who have been targeted by sophisticated spear phishing campaigns. Some have identified these emails as they received them and are taking steps to mitigate their risks. Others have been scammed and lost huge amounts of money, often only realising it has happened by chance. I’m sure even more have been victimised and lost money without yet knowing it.
Of course, it’s not just corporations that are being targeted by criminals: individuals are also losing money at the hands of very similar frauds. Just yesterday I received an email from somebody seeking help on behalf of a friend. This person has been scammed out of hundreds of thousands of pounds having made a wire transfer off the back of an email that purported to come from their solicitors. It seems very clear to me, from what I’ve been told of this case, that email compromise has taken place somewhere – most likely the solicitors. Law firms are of course hugely vulnerable and a lucrative target for criminals seeking to exploit their position of trust and as an exchange-point for vast quantities of funds. The victim has reported the case to the police but to no avail, which is sadly no surprise given that the police are unfortunately massively under-resourced when it comes to responding to the scale of cyber crime, as I discuss here. I’m using this case as an example, to show how frustrating and sad the consequences of spear phishing often are. The victim can lose life-changing sums of money with little chance of retrieving it (it has usually been transferred to another country by the time it has been identified) and nowhere to turn for help and support. The economic and emotional consequences can be devastating.
The victim is not ‘stupid’
Spear phishing emails work for a number of reasons:
Firstly, the ‘best’ ones are very convincing. The language will be sophisticated and professional, and the appearance – branding etc – looks like the real deal. Looking at the ‘from’ address may show an address that is very similar to the authentic one, may appear to be the authentic one, in the case of spoofing, or the email may actually come from the authentic address, and the account could have been compromised.
Secondly, the emails may contain information that is relevant to your current circumstances, your future plans, your personal circumstances. It may relate to transactions you are in the process of organising, as in the example I mention above. This information can be gathered by email compromise or by harvesting your digital footprint, for example via social media.
Finally, spear phishing is so successful because it is about psychological manipulation. Attackers take advantage of emotions such as stress, worry, desire, greed, loneliness and pride, and often target us at times when we are most busy. They capitalise on ‘hot states’, as I discuss in this article for Tripwire.
As Stephen Bonner recently noted on Twitter, spear phishing highlights fundamental problems with our current global email system. This is having a great cost on organisations, companies and individuals. There is much discussion about the likely death of email (please please please) but until that day, and no doubt with regard to whatever replaces it, we need to better educate everyone who exchanges information online of the dangers and what they can do to better-protect themselves.
So, what can people do to better-protect themselves?
For me, this answer does not require a set of top tips. There are things people can do like looking at the language used in the email, checking the ‘from’ address, checking the url of any links, etc. but as I outline above, the most convincing spear phishing emails will not be easily identified by following this advice. In those cases, being reassured by professional language and an apparently authentic ‘from’ address will instil a false sense of security. The best thing to do, is to check with the person or organisation who supposedly sent the email whether they in fact did so, by another means of communication (i.e. not over email). If the CEO of your company emails you asking you to make a wire transfer as a matter of urgency and to keep this information to yourself, you need to pick up the phone and get hold of the CEO. If you’re thinking ‘I could never call the CEO of my company’ then you definitely need to make that call before you even consider making the transfer. If s/he won’t take a call from you, why would they ask you to make a secret transfer of funds? Likewise, if your law firm sends you wire transfer details by email, call them on the phone number you usually use to speak with them, and check that the email came from them and the details are correct.
If in doubt, check it out.