YOUR I.T. DEPARTMENT has no doubt warned you not to click on suspicious links in e-mails, even when the missive promises a hilarious video or comes from a seemingly trustworthy source. If the link looks suspect: Do. Not. Click.
That’s because these emails are often phishing scams designed to trick you into clicking on a malicious attachment or visiting a malicious web site. In the latter case, the web site may appear to be a legitimate bank site or email site designed to trick the user into disclosing sensitive information—such as a username and password or bank account information—or may simply surreptitiously download malware onto the victim’s computer.
Just ask the White House employee who apparentlyclicked on a phishing email purporting to come from the State Department and allowed hackers into several government networks.
Spear-phishing is a more targeted form of phishing. Whereas ordinary phishing involves malicious emails sent to any random email account, spear-phishing emails are designed to appear to come from someone the recipient knows and trusts—such as a colleague, business manager or human resources department—and can include a subject line or content that is specifically tailored to the victim’s known interests or industry. For really valuable victims, attackers may study their Facebook, LinkedIn and other social networking accounts to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust.
An estimated 91-percent of hacking attacks begin with a phishing or spear-phishing email. Although firewalls and other security products on the perimeter of a company’s network may help prevent other kinds of malicious traffic from entering the network—for example through vulnerable ports—email is generally considered legitimate and trusted traffic and is therefore allowed into the network. Email filtering systems can catch some phishing attempts, but they don’t catch all of them. Phishing attacks are so successful because employees click on them at an alarming rate, even when emails are obviously suspicious.
One of the most famous examples of a spear-phishing attack that succeeded despite its suspicious naturetargeted the RSA Security firm in 2011.
The attackers sent two different targeted phishing emails to four workers at RSA’s parent company EMC. The emails contained a malicious attachment with the file name “2011 Recruitment plan.xls,” which contained a zero-day exploit.