Dec 14 2015

This Ain’t Your Daddy’s Phishing Trip

One thing we’ve likely all gotten, is an email from some “rich Nigerian prince” offering us millions, in exchange for a little legwork or some such activity. The scam is old, but surprisingly effective. You wire them what seems like a pittance, for what you expect will be a major financial windfall on the return. Except that the phisher isn’t a prince and doesn’t have millions. But, they do have that untraceable money order you just sent them.

That was then. This is now. And now, you are going to be getting a much more tailored attack. It’s going to look like it’s coming from someone you know. It’s going to look like a fully legitimate e-mail address. But in all likelihood, the sender is a professional criminal. They’ve spent time scouring your social media accounts in order to figure out who they should pretend to be. They’ve spent inordinate amounts of time crafting very professional and official looking templates. In other words, a lot of these attempts (called spearphishing) would actually not be easily spotted. (

On top of having a wealth of intelligence on you and your associates, used to make their emails more believable, they also have a great deal of tools allowing their footprints to be better hidden, so you can’t easily see where they were, where they are going or what they made off with.

They know more about you, because they’ve made a point to target and research everything they can about you. They have free access to lots of information because, quite possibly, you put it out there for all to read (like, say, your LinkedIn profile). On top of all the wonderful intelligence you are giving out for free, odds are one of these attackers has been in your systems before, just lurking and waiting to pounce.

Why would a bad actor go to such lengths? Because the stakes are that much higher. The Nigerian prince scam may get the phisher a few hundred bucks per sucker. Targeted spearphishing at the corporate level? The sky is practically the limit. Sony is a golden example of how a patient and skilled attacker can do a lot of damage and use it for gain-while not a spearphishing excercise, the attack happened over a year ago, and the impact is still being felt now.

How can you prevent these incursions? My main recommendation would be heavy on the training, as your end users are the weak link here. Spam filters are a great help here, and many will catch spoofed domains and misformed email addresses, but the tools to do this are getting more sophisticated, and an attacker is perfectly happy to buy a legitimate domain for 10 bucks a year to avoid spam filters. But, no matter how good your spam filtering is, one email is all it takes to get through and compromise things. And once a user clicks on that one email, it could be the beginning of a very bad week for you. So make sure your users know exactly what to look for, and also how to handle possible spearphishing emails (as in, don’t just delete them, but also don’t open them).

Training goes a long way here. Your staff may be your biggest risk, but with training and support, you can make them a strong point.