Spear Phishing

noun: spear phishing

1.    the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.

"spear phishing represents a serious threat for every industry"

The incidence of spear phishing continues to increase. At Henssler, even though our in-bound email is filtered through two different 3^rd party services, well-crafted spear phishing attempts can still make it through. Why? Because it is almost impossible for the filters to tell the fake emails from the legitimate.  These emails are simply requests for routine functions that we perform on a regular basis. What set these apart is the criminals have taken the time to get the correct names, and in some cases format the request in a very believable manner.

We have seen multiple incidences of criminals purporting to be clients and employees trying to fool us into wiring money and changing payroll direct deposit accounts. Some of these have been ‘a cut above’ the usual stuff our staff easily identifies as bogus. Fortunately, thanks to regular employee training as well as policies and procedures designed to confirm and verify these type of requests, none have been successful. However, we are always diligent and attempt to learn from each attempt, as the bad guys need only succeed once, whereas we must get it right 100% of the time.

How the criminals obtain access to this information varies, but it shows a level of sophistication much greater than the average email scam artist. What makes this even more disconcerting is there are international gangs that specialize in these tactics, a few of which have been identified by authorities, but prosecution of cybercrime is extremely difficult and the possibility of recovered assets, almost nil.

The simplest and most effective way for you to protect yourself from these type of attempts is also the most old fashioned - simple one to one contact, either in person or via telephone. However, when using the phone, do NOT rely on a phone number that was provided in the suspicious email, instead look up the number separately. For example, if you receive an email purporting to be from a friend, financial or government representative requesting you to send or electronically transfer money, you should independently verify that request using a phone number you have for that individual. If you do not know them well enough to recognize their voice…should you really be sending them money?

One thing these scams tend to have in common is they try to instill a sense of urgency and when pressed, they have excuses why you cannot reach them through your known contact methods. If you think that you would never fall for something like this… so did many of those exploited by these scams every day, totaling an unknown number of billion$ lost by people throughout the world. [the estimated cost of cybercrime worldwide for 2018 was over $600 billion, the true cost can never be calculated as much of it goes unreported and unidentified ]. 

When in doubt, DON’T send it out!