by Phil Lin
A few weeks ago the U.K. government agency, Action Fraud, warned that cyber criminals were sending fraudulent phishing emails to Royal Bank of Scotland’s NatWest banking customers. The phishing emails stated that users must click on a link and update their personal information to complete a ‘security upgrade.’ The U.S. Commodity Futures Trading Commission (CFTC), the country’s top derivatives regulator, revealed it had also been attacked in almost the exact same manner by spear phishers. In this case, the major data breach resulted in the exposure of employee social security numbers and other personal information.
These series of unfortunate incidents happen all too frequently because phishing is still so effective. In fact, it’s becoming more difficult to tell legitimate emails from those seeking to infect systems and steal personal and corporate data.
Cyber criminals are actually employing “best practices” like email content personalization and brand impersonation. This means they include public information to make the email very compelling so that nearly anyone would open the attachment or click on the link. Some are so good at this that brand impersonation has become an art form, where criminals can accurately mimic bank alerts, online retailer updates on a delayed purchase, or shipping company delivery notifications that need your “urgent” attention.
So, how does a person keep their inbox safe from such emails at home and at work? Here are five tips for protecting yourself from becoming a spear phishing victim.
1. Realize You Are a Target
Most users now know to avoid replying to the Nigerian prince email scam, and not to click on URLs from unknown senders. As a result, cyber criminals are taking more time personalizing emails. Many of today’s major data breaches have started with the insider who accesses their organization’s network from an infected computer at home. The gist is this: If you use the Internet and read email, you run the risk of getting fraudulent email and becoming infected with malware.
2. Know Your Adversary’s Tricks
Successful cyber criminals do their research on you before sending out these emails. They comb through websites, blogs, and other social networking sites to get a sense for what sort of information might elicit a rapid response. For example, cyber criminals will use threatening subject lines and email content, such as “Your credit card has been suspended”, just to lure you into interacting with them. Don’t play their game.
In general, websites for banks, agencies, and alumni associations will never request personal information to be sent back via email. And, if you have to fill out a web form that requests personal information, consider going to the bank homepage by typing in the website manually into the browser, and updating your information that way. Otherwise, consider calling the organization and speaking to someone before changing personal information online.
3. Take Control of Your Online Presence
Try doing an online search on your name and see what sort of information is already available. For example, even if you have never posted your birth date online, all of those happy birthday wishes or party photos may give away that information. You can remove or hide those posts from search engines, and request those images to be removed or hidden as well. Also, if at all possible, do not store your personal information, like credit cards, on third-party sites.
4. Just Don’t Click It
Pay careful attention to any URL in HTML emails. The email text can be made to look like a URL link for your bank, but the actual HTML code has the malicious URL link embedded in it. That malicious link will likely take you to a website that looks nearly identical to the real site you would expect to see.
So, instead of clicking on it, open your browser and type the actual web address for the site into the address bar. It’s always a best practice to go to the website by directing typing in the site’s URL. Or, give them a call if you’re unsure.
5. Ask for Stronger Security
More and more of our work and personal lives are conducted online. Even if you are meticulous about your personal digital identity, consider all the other organizations that have your data. Ask your company IT staff and vendors about how they are protecting the corporate network and the data that resides in their servers. Today’s defenses — anti-virus, ips, URL filters, and next-generation firewalls — leave significant security holes in the majority of corporate networks.
Also, ask for help to protect your home network. Today’s work and home networks are often connected, whether by logging into the company’s web mail system from home, or using a VPN connection to tunnel into the corporate network.
However, with spear phishing attacks blending malicious URLs, infected attachments, and social engineering, traditional security has proven incapable of stopping malware from being installed and used to ex-filtrate your data. So, be sure to ask about 360-degree security tactics that aim to stop inbound attacks, but also to block outbound data theft attempts.