- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
CSO - The criminal art of spear phishing, email spoofing that aims to get the recipient to click on a bad link or attachment, has been around for years. But that doesn't mean it's become any less effective. According to figures from the U.S. Computer Emergency Readiness Team (US-CERT), which compiles information from federal, state and local governments, commercial enterprises, U.S. citizens and foreign CERT teams, phishing attacks accounted for 53 percent of all security incidents in 2010.
What has changed recently is that more phishing attempts are direct, targeted efforts aimed at specific individuals within an organization. In fact, after the recent breach of an email database maintained by marketing firm Epsilon, security experts warned that banking customers should worry about a wave of spear phishing attacks utilizing the information gained from the break in.
The days when phishers would blast out hundreds of generic messages and hope for a few hits are ending. Criminals now realize a message with specialized, social engineering content that is directed to one person, or a small group of people, can be much more successful. After all, it typically only takes one machine to compromise an entire network.
"We now see more of the scenarios involving just two or three emails targeting the executive team, which spoofs the legal team and contains a malware attachment that talks about pending litigation," said Jim Hansen of the security awareness consultancy PhishMe.
Also see: Phishing: The Basics
PhishMe has designed spear-phishing-awareness training that focuses on changing user behavior. Hansen gave us five tips his team offers clients to help them avoid getting hooked by a phony message.
Be skeptical of all emails
Ask yourself: Who is this email from? If the sender is someone you do not recognize, chances are this email is either some form of unsolicited spam or it is a phishing email, said Hansen. Search for the domain through Google or some search engine to see where the domain comes from, he advised.
"Slow down, take a breath and think about what you're doing," said Hansen. "We are all busy people, but if you take a few minutes, it's not going to disrupt your day."
Be wary of attachments
If you do open the email and you are prompted to download images or attachments, don't, said Hansen. These "images" and attachments could contain malicious content that you don't want on your computer. At best, said Hansen, you are slammed with a ton of spam and advertisements. At worst your computer could be an open book to an attacker trying to get your information.
If the message comes from a sender you don't recognize, or even if it is a sender that you do recognize, get confirmation before downloading any attachment.
Ignore commands and requests for action
If the email is urging you to do something, stop and think before you fall into their trap, said Hansen. If it is too good to be true or seems too farfetched, it probably is.
"There are two motivations a criminal will try to appeal to: reward or authority," said Hansen.