Spear-phishing via email is not a new thing. Poorly configured and misspelt spoof emails would trickle into your inbox as a somewhat feeble attempt to try and retrieve your personal details. Despite these less sophisticated attempts, email does remain the most common point for targeted attacks and we are currently seeing cyber-criminals adapting their methods and changing the game.
An open gateway
As the headlines today are dominated by large-scale cyber-attacks, directed at corporate juggernauts or public sector organizations, we run the risk of turning a blind eye to email phishing and disregarding it as a serious threat. For hackers, this has created the perfect opportunity; they are constantly evolving their tactics and are making spear-phishing attacks far more sophisticated and targeted than we have previously seen.
With the mass of personal information we put out daily on social media, it’s easier than ever for attackers to gather information and create very compelling and believable phishing emails. The attacker, or impersonator, can find out: your place of employment, your favorite sports team, where your children go to school, and even impending transactions.
They will go to great lengths to pull off a successful impersonation attack, often engaging in multiple emails back and forth before requesting sensitive information, such as credentials, a wire transfer, or employee tax information.
You may think you would easily notice a phishing attempt and are not one to be fooled. Because of the increasingly personalized nature of these attacks, and the fact most of them do not contain malicious files or links, traditional email security solutions cannot stop them, leaving you completely vulnerable. All it takes is one email that replicates the language and appearance of an email you’ve previously received, for you to quickly reply on your phone with little thought of its origin.
Home not so sweet home
As if being the victim of a phishing attack isn’t cruel enough, we have identified a new threat – and this time, it’s hitting a new generation of homebuyers.
Buying a house is undoubtedly a stressful event. It is one of the most important purchases someone can ever make and often one they have been saving for years in order to take possession of the keys and let out that long-awaited sigh of relief. But what if that sigh got delayed, or worse – never came? What if a cyber-criminal interfered with the process and had the loan payment wired to them instead of the seller? This nightmare scenario can have substantial financial consequences for the homebuyer. They could end up losing the house, a whole lot of money, personal information and much more.
We recently heard from a couple whose exchange day had arrived and all seemed to be going according to plan. The homebuyers had just a few last-minute tasks to complete, and they’d have the keys to their new home. Of the remaining tasks, the time had come for the buyers to wire funds to close escrow. However, at the eleventh hour they received an email from their mortgage company stating that they had switched banks, and to follow the updated wiring instructions in the email attachment.
Fortunately, alarm bells started ringing for this savvy homebuyer, who immediately called his mortgage company. Whilst this couple avoided the threat, it may have captured many more victims who weren’t so cautious.
With the amount of time and effort it takes to not only find the perfect house, get an offer accepted, and make it through the signing process, being the victim of a cyber-attack can be soul destroying.
To help ensure you’re mindful of attacks of this nature, here are the danger signs to look out for:
- An odd or unexpected request. Just because you recognize the name of the sender, it doesn’t mean it’s them sending it. If it sounds like an odd request, pick up the phone and call the person the email is supposedly from.
- A domain changed by one letter. For example, @gmoil.com instead of @gmail.com. This masking technique is easily overlooked and highly effective, but can be easily overcome by hovering a cursor over the email address. A window will pop up showing the sender’s real domain.
- A message asking the recipient to open at attachment. This could contain malicious activity and should be approached with extreme caution. When in doubt, do not open attachments.