When CNN reported that a “prankster” in the UK had managed to spear-phish White House officials, we wanted to share few thoughts about online security, spear-phishing and avoiding the sharp end of that awful spear.
Spear-phishing is tricky
“Phishing” is a broad term for when a malicious actor impersonates a legitimate one in order to trick you into giving up sensitive information such as passwords, account details or credit card numbers. It generally casts a wide net.
“Spear phishing” is more targeted, hence the name, and uses personal details to trick you. It’s more sophisticated, and, unfortunately, research shows that it works.
Reviewing the White House email messages posted online reveals the sender used details about previous meetings and conversations to make themselves sound legit, and it worked. In this case, this information could have been culled from media coverage.
The rest of us who aren’t in the public eye still need to be sharp. We share personal information on social media accounts, professional networking sites, blogs, comments and so on. Clever perpetrators can use this seemingly innocuous information to their advantage.
Verify before sharing personal information
This can’t be overstated. Today, more and more of our sensitive information is stored online, and we all need to do our part to thwart attackers and protect ourselves. Protecting our logins is critical. It’s up to all of us to look out for scam websites and suspicious links.
If there’s something “phishy” about a message, try confirming through another method like a phone call, text or asking in person. Though he didn’t share his password or other highly secure information, Homeland Security Adviser Tom Bossert did pass along his personal email, unsolicited, because he trusted the message despite it being flagged by his email system. This brings us to our next thought.
When your email system flags a message as suspicious, you should…be suspicious
It stands out that at least one of the fake messages arrived flagged as [SUSPECTED_SPAM] by Bossert’s email service. That should be an immediate red flag to double-check where the mail came from before trusting it.
“Sometimes there are false positives, but it’s worth having an IT person check it if you don’t know how to do it yourself,” said Dave Miller, Mozilla Network Administrator. “This is especially true when a message gets spam-tagged, and it’s seemingly an ‘in-company’ mail, from someone in the same organization as you.”
Avoid the hook
Whether or not you’re being “pranked” or phished, if someone is provoking you over email, it’s best not to take the bait. Don’t respond to spear-phishing efforts. Mark the message as spam, forward it to your IT department or your email provider and move on.