Spear phishing attacks, email scams tailored to trick you because of your role at UD, are rising dramatically. We are not alone; spear phishing is increasing across the Internet. In fact, here is a report we received from another university:
Other universities are reporting seeing this simple, yet surprisingly effective, spear phishing scam.
Note that the hacker took the time to learn the names of the vice president and president, making this scam more believable, more likely to be replied to with the confidential information requested.
At UD, we’ve seen spear phishing that uses logos scraped from our business partners’ websites or from UD sites. We’ve seen spear phishing that uses terminology about UD scraped from our websites. We’ve seen spear phishing in response to specific news or press releases about UD—for example, when we first set up VOIP.
Here’s how the FBI defines spear phishing:
Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive…. [C]riminals need some inside information on their targets to convince them the e-mails are legitimate.
(“Spear Phishers: Angling to steal your financial info.” FBI. April 1, 2009. http://www.fbi.gov/news/stories/2009/april/spearphishing_040109)
Spear phishers use information scraped from public Internet information about individuals or organizations to craft email scams tailored to trick you into surrendering private information. They do such a good job making the email look “individualized” or tailored to you that your spam filter may miss it and you may believe the alleged threat and click a link in the email.
Sometimes your information is the ultimate target; sometimes your information or computer account is a means to a bigger prize. As the two news stories linked below indicate, when an employee falls for a spear phish, the consequences can be catastrophic:
- Omaha’s Scoular Co. loses $17 million after spear phishing attack
- ‘Spear Phishing’ Attacks Infiltrate Banks’ Networks: Hackers in Russia, China, and Europe used malware-laced emails to bank staffers to penetrate banks’ systems and steal money.
For more information about spear phishing attacks, review this 2012 white paper from FireEye (pdf).
Be vigilant. If you receive email that looks suspicious, don’t click any links contained in the message. You can report the message to the IT Support Center using the Report a Phishing Scam page as a guide.