SPEARPHISHIN’ STORIES- THE RUSES THEY USE TO REEL YOU IN, REVEALED

Spearphishing is the use of fake emails to trick a person or small group into activating malware or revealing their network credentials. With attackers constantly creating more clever ruses, defending against spearphishing requires not only knowing the newest tricks, but rethinking how we use email in the first place.
Share
The long, slow commute was weighing on the staff in the D.C. office. Then a little glimmer of hope hit their inboxes.
It was an email about a new Metro station. The details were in an attachment. In their excitement, the road-weary workers never even hesitated to open it.
They should have.
The email was a test from the company’s cybersecurity consultants to see how susceptible the staff was to spearphishing – a cyber-attacking tactic that uses fake, manipulative and highly personalized emails to deliver malware and steal people’s usernames and passwords. The result was bleak: Eighty percent fell for it.
Spearphishing is a go-to tactic for every type of cyber attacker, from penny-ante crooks pilfering bank accounts to nation-state operatives trying to wrest control of power plants. They like it because it’s cheap, easy and effective: With just an email account, a few facts about the victim and a good story, they can sit back and watch as even cyber-savvy people download dangerous files and cough up their credentials.
“When  spending a little time researching the company or the individual they’re targeting and tailor their email to that, then the success rates increase exponentially,” said Fabian Franco, digital forensics and incident response lead at Raytheon Cyber Protection Solutions. “And the trickiest ones are when they make it very tailored, from incorporating your company’s logos to using an email address that’s very similar to a colleague’s.”
Here, to show how cunning cybercriminals have become, Raytheon’s security experts discuss some eye-popping real-world examples – and how to defend against them.
THE JOB APPLICANT
The ruse: A résumé lands in an inbox at an energy company. The body of the email makes the candidate look legit; it uses industry lingo like “PLC based control systems,” mentions specific equipment and even works in some common job-applicant jargon like “multi-skilled controls engineer with experience in hands-on project-based work.”
The reality: That email, and many more like it, were part of an extensive international hacking campaign to infiltrate energy infrastructure in the U.S. and other countries. In this case, the attachment activated a vulnerability in Windows that hackers often use to steal the victim’s credentials, according to the U.S. Computer Emergency Readiness Team.
The defense: Don’t accept or open files from unconfirmed sources. With documents like job applications, it’s best not to accept them through traditional email at all, said Mark Orlando, chief technology officer at Raytheon Cyber Protection Solutions.
THE PHONE CALL CON
The ruse: A catering company gets a call from a potential customer. After a few questions, the customer agrees to send an order by email. The caterer opens the attachment.
The reality: There was no order. The attachment had one purpose: injecting malware to probe the caterer’s computer network and harvest customer credit card numbers. This one is especially sneaky because the attacker primed the target by calling ahead. In a similar case, a customer complaint emailed to a national restaurant chain turned out to be a trap set by international hacking group Fin7, now implicated in attacks on more than 100 U.S. companies, particularly restaurants, casinos and hotels.
The defense: Businesses should use email services with built-in malware protection and keep operating systems and security software up to date. But even the best defenses can fail, Orlando said, which is why segmenting networks is so important.
And, as with the job applications, a web portal for orders can reduce the risk of opening an infected attachment. Bottom line, no matter how sophisticated your company’s system might be,  before you open any email, check the originating address. Make it a habit. Do it every time. One changed letter can make all the difference in you giving a hacker access to your company’s private information.
Cyber attackers have become better than ever at posing as colleagues, customers, job-seekers and others to trick victims into opening malware-infected attachments.