Spear-phishing doesn’t necessarily involve links or attachments

Article

Snapchat, Seagate among companies duped in tax-fraud scam | Mashable

My Comments

Compose Email or New Email form

Spear-phishing email doesn’t necessarily have to have links or attachments

An issue that has come to highlight lately is spear-phishing where an email is sent to particular departments within a business to extort critical financial or other information from that business.

This recently happened to a number of American businesses including Snapchat and Seagate where the human-resources departments were told in an “official manner purporting to be from the CEO” to turn out W-2 tax forms about their employees.

For those of you in countries other than the USA, this is a statement provided by your employer which states what you earned including the taxes that are withheld and would be known as a P60 in the UK and Ireland or a Group Certificate in Australia. When in the wrong hands, these statements can be a goldmine of data that can be useful for identity theft and tax fraud.

But this may be different from a garden-variety spear-phish attack because there isn’t a requirement to visit a Website via a link or open an attachment that comes with the email. Rather this is to prepare the information in a specified computer-file format to be sent as an attachment with the email’s reply.

What was highlighted was that the spear-phish email used the look of official company correspondence such as use of the company’s trade dress (logos, colour scheme, typography) and disclaimers associated with such correspondence. As well, such emails appear to come from someone high up in the business. The spear-phishers were able to identify “who’s the boss” by performing Google or LinkedIn searches and this data could simply be found on “About Us”, shareholder-information or similar pages on a company’s public-facing Website. Such correspondence also can surface at certain seasons like holiday seasons, tax-filing seasons or special events.

This is a classic form of social engineering in the business and the staff were caving in to human error and weren’t vigilant. Here, if they see an email with an important request coming from their boss, they would follow up on this request forthwith as expected for business life. This is similar to the classic distraction-burglary or burglary-artifice scam where a householder is under pressure to let people who look like officials in to their home and these bogus officials commit crimes against the household. It can also affect small businesses as well as larger businesses and organisations, because such a request could also come from the business’s owner, a franchisor (in the case of franchised businesses) or someone who is higher up in the business’s food chain.

A similar scam which is known as “whaling”, targets business owners, managers and other known organisational figureheads with email purporting to come from partners, suppliers / service-providers like your landlord or officials such as the taxman or the Trading-Standards officials. It has the same effect as spear-phishing where you are subject to trickery to divulge sensitive information. This situation can affect businesses and organisations of all sizes from the small pizza shop on the corner to the large business in town.

The red flags to be aware of with spear-phishing or whaling are: is the request out of the ordinary whether for your business or for normal business practice; whether the domains for “reply” or “origin” email addresses match the known domains for the business;  or whether the writing style reflects the purported sender’s style or the accepted norms for business correspondence in the locale.

But most importantly, verify the facts from the horse’s mouth. This means sending a separate email to the proper source at the address you know them to be at or, preferably, making a phone call to check those facts. It is more important if the request happens to come “out of the blue”.

As well, be wary of out-of-the-ordinary correspondence you receive by email around the critical occasions like tax time.

Once you know what is in the norm for your organisation and industry, you should then rely on your “sixth sense” to identify if something is suspicious and report it straightaway.

Leave a Reply