Phishing attacks are not new. That term has been used for some time to describe an attempt to gather electronic information from an innocent user. Perhaps the most common form of this attack requests information or contains a link that leads the user to a false site or executes hidden code on the machine of the unsuspecting user.
However a new technique for phishing has emerged. Dubbed “spear phishing,” it targets specific individuals or groups to gather information. The FBI documented spear phishing attacks in early 2009[1], and since then the frequency, complexity, and motives behind spear phishing have grown more sophisticated and dangerous.
Like fishing, the phishing attack casts a line in the water, lots of them actually, hoping that some user will nibble on the bait. In other words, emails are sent to hundreds or thousands of users indiscriminately, hoping that a few will provide the requested information or click on the embedded link. Spear phishing, however, is much more targeted – emails are sent to a more discrete target group, such as employees of a certain organization, those with accounts at a certain email site, or a group based on some common criteria. This allows the attacker to construct the “bait” email with a great deal more care, one that looks like a valid email that the user has seen before.
There was a time when phishing attacks were avoidable just by remembering to never provide confidential information requested by email. Now, simply clicking on an embedded link can give the attacker all he or she needs to compromise you, steal your identity, or “own” your machine. The landscape has definitely changed.
The objectives are changing, too. And this makes spear phishing that much more dangerous. It's not just a credit card number or account password that the attackers are looking for these days, though for most of us, that would be bad enough. No, the newer spear phishing attacks have other motives. They will plant keystroke loggers, bot program, and now, even solicit an accomplice. That's right; the latest attacks are looking for a sympathetic insider to “join” the band of criminals attacking your enterprise.
As criminals become more sophisticated, users and security professionals must become more cautious and diligent to avoid becoming a victim. Here are a few of the practices that will reduce our susceptibility to a spear phishing attack.
1. Verify first. If you think the email may be a legitimate request, call the institution. Look up the number yourself and never rely on number or links provided in an email. Remember, legitimate institutions will never request personal information by way of email.
2. Enter the address yourself. Never follow a link included in an email. Instead type a known good address in your browser and make sure the address you are typing is really the correct one for that institution.
3. Include phishing in your awareness program. Make sure users know the signs and how to watch for them.
4. Keep up to date. Ensure that your security program includes a process for keeping browser and antimalware applications up to date.
5. Step up passive monitoring. Keep an eye on suspicious web access.
The Anti-Phishing Working Group (APWG), http://www.antiphishing.org/ has a number of other suggestions to help avoid becoming a phishing victim. Check them out today, and remember, in the cyber realm, nothing is quite what it seems.
View All 
![[1]](http://www.dexasystems.com/scripts/blank.gif#_ftn1){kind=link}
![[1]](http://www.dexasystems.com/scripts/blank.gif#_ftnref1){kind=link}