Threat Alert: Spear PhishingMarch 8, 2008 – 6:00 PM
“After three unsuccessful attempts to access your account, your Online Profile has been locked. This has been done to secure your accounts and to protect your private information. You may unlock your profile by going to: …” Sounds like a normal phishing e-mail, right? But what if the e-mail seemed to come from the head of IT at your small business, warning about your company account? Would you click the link?
Today’s phishers hope so. In fact, the excerpt above didn’t appear in the usual global barrage of e-mail sent out to catch recipients with eBay or PayPal accounts. Instead, it went exclusively to students and faculty of the University of Kentucky as part of a directed, or “spear-phishing,” attack against the small, 33,000-member university credit union this May. Another widely reported incident involved an Israeli company that used spear-phishing techniques to install spyware on PCs at the office of one of its competitors.
According to Peter Cassidy, secretary general of the Anti-Phishing Working Group, spear phishers act much like marketers, crafting a message and then directing it to just the right people.
These targeted attacks make better use of social engineering to trick people who are tuning out the widespread spam of typical phishing attacks, Cassidy says, but who might not expect an e-mail aimed at a smaller company or organization.
Expect it: According to IBM’s Global Security Index report, intercepted spear-phishing attempts exploded from a mere 56 instances in January to more than 600,000 cases in June.