Spear phishing con artists are becoming more clever and sophisticated in their attempts to trick people into falling for their scams. For instance, they now sometimes include the intended victims' home addresses to make their spear phishing emails seem more legitimate.
Hackers are using this ploy in a series of ransomware attacks that started in April 2016. The spear phishing emails appear to be from bill collectors who claim they are acting on behalf of various legitimate companies. If the recipients fall for the scam and click the malicious link when they are on a company computer, the business's computer will be infected with ransomware.
How to Spot the Emails
Here is how to spot the spear phishing emails used in this attack: The email starts with a greeting that includes the target's full name. This is common in spear phishing emails, as they are personalized phishing attempts.
The email then claims that the person has an overdue invoice, which he or she can download a printable copy of by clicking the provided link. To make the email seem legitimate, the hackers state that the "original invoice will be sent out to", followed by the person's full name and home address.
One recipient of the spear phishing email noted that the address looked like how she would write it and not how it is written by autofill sections on web pages. Authorities believe that the hackers are getting the addresses from publicly available databases.
Opening the spear phishing email itself is harmless. However, if the target downloads and opens the invoice (which looks like a Word document), his or her computer will be infected with ransomware.
Ways to Protect Your Company from Spear Phishing Attacks
To protect your business from attacks like this, you need to educate employees on how to spot spear phishing emails. Let them know that the inclusion of personal information such as a home address does not speak to the legitimacy of the email.
In addition, inform them about the importance of not clicking links in emails from people they do not know. Even if an email is from someone they know, have the employees check an embedded link before clicking it by hovering their cursor over it to see the website address. If the address seems suspicious, tell them to check with the email's sender to make sure the person sent it.
Because hackers are becoming more skilled at crafting spear phishing emails, employees still might fall for a scam, despite your best efforts at educating them on how to spot one. For this reason, you need to regularly back up your business's files and make sure they can be successfully restored. That way, if someone falls for a spear phishing scam, you will have backups of your business's files in case the original files are compromised.
For more information on how to protect your data & business from spear phishing attacks, download our latest White Paper on "How To Spot Phishing Attacks".