4 spear-phishing hooks for the holidays
Expect some of the typical phishing lures to be cast this year, but more targeted 'spear-phishing' twists raise the potential for damage
By Joan Goodchild , Senior Editor
November 14, 2011 — CSO —
Cybercriminals are increasingly abandoning the technique of casting a wide net by blasting thousands of email accounts with a phishing scam. That's not nearly as lucrative as a spear-phishing attack, which might take more work, but has the potential for a much bigger payoff, according to Rohyt Belani, CEO of phishing-awareness-training company PhishMe.
"The kind of phishing attacks that are working now involve targeting specific employees at an organization," said Belani. "Every major breach we have heard about this year has been initiated by a targeted phishing attack—be it RSA, Epsilon, numerous defense contractors, Oak Ridge National Laboratory and on and on."
Belani said spam filters are doing such an effective job of siphoning out bad emails, that criminals are now tailoring their messages to get around these filters, which can detect high volume and mass-blast emails. Instead, phishers now choose just five or six employees, and strike.
"The normal employee at an organization doesn't think hackers would target them," said Belani. "As we saw in the RSA scenario, only 4 people received that email, none of them high-profile employees."
With that said, the holidays are full of potential scenarios that phishers may try and exploit. Here are four lines spear-phishing phonies are likely to cast these next few weeks in the hope of getting you to bite.
"Kick off your holiday shopping with this 10% off coupon for any store at [your local mall]"
The coupon or discount is not a new tactic, but the addition of an actual mall right near you is, said Belani.
"Around the holidays, phishing emails appeal to the desire to get deals," said Belani. "It may be a coupon for a Black Friday sale, for example, but it will have the added detail of mentioning a local store or mall to make it more believable."
Belani suggests skipping any links or downloads that claim to have a coupon or discount code and going directly to the web site for the store or the mall. If there is a coupon, get it directly from their web site.
"If they are sending it on email, it is going to be on their web site as well," he said.