Look before you click, and be skeptical of e-mails. Do not be a victim of spear phishing!
Do not open email messages when you can’t tell who the real sender is. Oftentimes, “friendly” postcards and mass-messages (chain e-mail) alert readers of danger, while having weird syntax, poor spelling and suspicious web addresses. Keep asking yourself “Why should I believe that?” It is important to remember that you can’t always trust the “from” address on email, as it is easily faked by fraudsters, trojans and viruses. If you aren’t expecting a message, link, or attachment from someone, ask yourself “Why you should I trust that it really came from the apparent sender, and that it’s safe?” When in doubt, it’s a good idea to call and verify that they sent you the message.
In enterprises where your proprietary information and business process sets you apart from your competition, being an e-mail skeptic can save you money, time, and reputation. Typically, a spear phishing campaign works like this:
A fraudster will research a company website to find out who is on the management team. A reasonable conclusion is that a person’s e-mail address is going to be some combination of their first and last name at the same domain as the company website — some websites even list the manager’s e-mail address for anyone to see. The fraudster will send e-mail to one of the management team with information that seems as if it might have something to do with the company; a legal warning to which the company must respond, or an urgent request for help, along with a document or zip file containing the pertinent information. Opening the document or zip file, often encrypted with a password to attempt to bypass virus scanners, infects the user’s system with a virus or trojan.
The virus or trojan allows the fraudster or attacker access to the system, where they can peruse network shared drives for documents or emails containing information that could be advantageous to the attacker, such as credit card information, wholesale pricing for products, confidential business practice documents, employee salaries, SSNs, home addresses or other personal information. It is especially important if your company keeps electronic records of customer credit cards, that even if stolen, those credit card bearing databases cannot be accessed without knowing a very secure password. The attacker then encrypts those documents using CryptoLocker or CryptoWall and makes them inaccessible until a ransom is paid. Alternately, they may use that information for identity theft or fraud, or threaten to release the information to your competitors.
The Oregon Consumer Identity Theft Protection Act (ORS 646A.600) lays out the legal requirements that enterprises must meet when they have been victims of such compromise, including the requirement to determine the full scope of the breach and to notify customers “in the most expeditious time possible.” This can cost thousands of dollars in lost productivity and legal consultation, not to mention the time it takes for consultants to determine the scope of the breach.
If your employees are not being actively mindful of spear phishing e-mails, and one of them falls victim to a spear phishing campaign, you should consider your private network compromised.