4 spear-phishing hooks for the holidays

Expect some of the typical phishing lures to be cast this year, but more targeted 'spear-phishing' twists raise the potential for damage

. What's this?

By , Senior Editor

November 14, 2011CSO

WHAT IS SPEAR-PHISHING?

Spear-phishing is a kind of social engineering trick aimed at a specific victim, whether that's an organization or an individual.

A spear-phishing message might include not only the recipient's name but also other specific information (mentions of friends by name, departmental references) that helps personalize it and make it believable. Spear-phishers can draw this information from social networks or other public sources.

This tactic differs from old-school phishing's broad messages aimed at whoever would take the bait. ("Dear Sir—I would like to enlist your help in retrieving my inheritance from Nigeria...")

Cybercriminals are increasingly abandoning the technique of casting a wide net by blasting thousands of email accounts with a phishing scam. That's not nearly as lucrative as a spear-phishing attack, which might take more work, but has the potential for a much bigger payoff, according to Rohyt Belani, CEO of phishing-awareness-training company PhishMe.

"The kind of phishing attacks that are working now involve targeting specific employees at an organization," said Belani. "Every major breach we have heard about this year has been initiated by a targeted phishing attack—be it RSA, Epsilon, numerous defense contractors, Oak Ridge National Laboratory and on and on."


[Also read Social engineers' 9 favorite pickup lines | and 5 more]


Belani said spam filters are doing such an effective job of siphoning out bad emails, that criminals are now tailoring their messages to get around these filters, which can detect high volume and mass-blast emails. Instead, phishers now choose just five or six employees, and strike.

"The normal employee at an organization doesn't think hackers would target them," said Belani. "As we saw in the RSA scenario, only 4 people received that email, none of them high-profile employees."

With that said, the holidays are full of potential scenarios that phishers may try and exploit. Here are four lines spear-phishing phonies are likely to cast these next few weeks in the hope of getting you to bite.


"Kick off your holiday shopping with this 10% off coupon for any store at [your local mall]"

The coupon or discount is not a new tactic, but the addition of an actual mall right near you is, said Belani.

"Around the holidays, phishing emails appeal to the desire to get deals," said Belani. "It may be a coupon for a Black Friday sale, for example, but it will have the added detail of mentioning a local store or mall to make it more believable."

Belani suggests skipping any links or downloads that claim to have a coupon or discount code and going directly to the web site for the store or the mall. If there is a coupon, get it directly from their web site.

"If they are sending it on email, it is going to be on their web site as well," he said.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER