Common spear-phishing tricks

To be ready for attacks targeting your company, information security officers need to know about received spear-phishing e-mails.

Virtually every employee of a large company comes across the occasional e-mail aiming to steal their corporate credentials. It’s usually in the form of mass phishing, an attack in which e-mails are sent out at random in the hope that at least some recipients will take the bait. However, the stream of phishing e-mails may contain one or two more dangerous, targeted messages, the content of which has been customized for employees of specific companies. This is spear-phishing.

Spear-phishing messages represent a clear sign that cybercriminals are interested in your company, specifically, and it may not be the only attack in play. That is a major reason infosec officers need to know if any employee has received a spear-phishing e-mail — they need to prepare countermeasures and alert personnel in good time.

That’s why we advise IT to check filtered e-mails periodically in search of spear-phishing, and to teach other employees how to spot signs of targeted phishing. What follows are a few of the most common tricks, with examples from some fresh spear-phishing campaigns.

Misspelled company name

The human brain does not always perceive the whole of a written word — it sees a familiar beginning and completes the rest by itself. Attackers can take advantage of this trait by registering a domain that differs from your company’s by just one or two letters.

A company name is missing a letter

The cybercriminals who own the domain can even set up a DKIM signature so that the e-mail passes all checks — it’s their domain, after all.

A valid DKIM signature in a spear phishing e-mail

Extra words in the company name

Another way to fool recipients into thinking a colleague is at the other end is to register a two-word domain, for example, to appear as a sender from a local branch or a particular department. In the latter case, cybercriminals tend to impersonate tech support or security personnel.

A word "Security" is added to company name

In reality, employees from every department should have a standard corporate e-mail address. No one ever sets up a separate domain for security personnel. As for local offices, if you’re not sure, check the domain in the corporate address book.

Specific content

A phishing e-mail mentioning your company (or worse, the recipient) by name is a sure sign of spear-phishing and a reason to sound the alarm.

Highly specialized topic

Strictly speaking, seeing those names doesn’t always mean a message is spear-phishing — it might be a variation on a mass-phishing scam. For example, phishers may use a database of conference participants’ addresses and play on the topic of the conference — that’s mass phishing. If they try to attack employees of a particular company in the exact same way, however, that’s spear-phishing, and thus security needs to know about it.

Finally, to be able to search for potential spear-phishing signs without diminishing the company’s actual security, we recommend installing protective antiphishing solutions on mail servers as well as on employee workstations.

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.