KnowBe4 has released information about the most widespread spearphishing scams targeting businesses.
Spearphishing is the hacking technique in which highly targeted socially engineered emails are sent to a very small number of people. The purpose of a spearphishing email is to deceive the recipient into taking an action, such as following a link or opening an attachment, that will compromise the security of the recipient’s systems.
KnowBe4 cites these five scams:
5. Better Business Bureau Complaint – The recipient receives an official-looking email that is made it appear the Better Business Bureau. The recipient is instructed to click on a link to contest or respond to the claim. If the link is clicked, malware is downloaded to the system.
4. Smartphone Security App – Using the resources of the web, cybercriminals find the name and email addresses of a company’s senior management. Using this information, the cybercriminals spoof an email from the CEO to the CFO instructing the CFO to follow a link. When clicked, keystroke logger is installed on the CFO’s computer. The cybercriminals have full access to the CFO’s account login credentials and control any two-factor text messages sent to the CFO.
3. Layoff Notice – Employees receive a spoofed email from the CEO or Human Resources informing recipients that they have been laid off. Employees are instructed to click a link to register for severance pay. The landing page looks just like the company’s website and asks users to enter their name and social security number to log in. The fake website triggers a malware download to the user’s system. If the victim entered any personal details, they are immediately at risk for identity theft.
2. Prize for Feedback – Using social media profiles, cybercriminals determine what organizations that targeted person supports or does business with, and their favorite local restaurants. The cybercriminal will send a fake email from one of those charities or organizations, requesting the recipient to download a PDF that describes an upcoming campaign or event. The email offers a free dinner at the local restaurant providing feedback. When the PDF is downloaded, malware is installed on the system – giving the cybercriminals direct access to the network.
1. Lawsuit – Cybercriminals use the web to find the email addresses of a company’s executives and lawyers. The cybercriminals send a fake email pretending to be from the lawyers to the executive team. A malicious PDF describing pending litigation is attached. When the attachment is opened, malware is installed and the network is compromised.
The solution to these attacks proposed by KnowBe4 is caution and training. While we at Iconix support caution and training, the sad reality is that caution and training are ineffective against well-crafted highly-targeted spearphishing attacks. Reliance upon spearphishing training is driven by three assumptions:
- People pay attention to subtle clues about email authenticity.
- People do not engage in automated responses driven by habit.
- Spear-phishing emails contain clues that betray their nefarious purpose.
These assumptions are invalid. Groundbreaking research led by Arun “Vish” Vishwanath, PhD, demonstrated conclusively that people do not pay attention to subtle clues about email authenticity. Dr. Vishwanath’s research demonstrated that when reading email, people are creatures of habit. The examples cited by KnowBe4 are typical of the clever methods used in highly targeted attacks to imbue email with authenticity and hide the nefarious purpose.