As we’ve covered before, hacking isn’t usually the highly technical and sophisticated activity that is portrayed in movies. More often than not, it’s just old fashioned trickery, mainly luring people to fake websites and capturing their sign in credentials or getting them to unwittingly download something that contains a virus.
One such tactic has been named “spear phishing” and it is closely related to phishing.
With a phishing scam, the hacker sends a fake email that is meant to look like it comes from a financial institution or a commonly used site like Amazon or a popular social media platform. These emails are typically sent to a general audience so the hackers can get as many people to bite as possible. Think of it as commercial fishing with a net. Phishing emails will say things like there has been unauthorized use of your account or some other emergency or that the recipient is eligible for something free. The fake emails will give people a link to click that will take them to a fake site.
Spear phishing emails are a bit different, but equally as bad. Just like how spear fishing in the real world is all about targeting a single fish rather than trying to catch many fish at once, spear phishing emails are all about targeting one person and trying to extract highly specific information. A spear phishing email is more likely to be sent to a specific person or group of people to try and trick them into divulging information the hacker wants.
For example, a hacker might get the email address of a company’s CEO from the business’ website and then create an email that is made to look like it comes from that CEO. Like a regular phishing email, it will try to get the intended victim to visit a fake website and input their credentials or get them to pass along sensitive information like a password in a reply email.
Phishing and spear phishing attacks rose 65% between 2015 and 2016 and cost an average mid-size business $1.6 million. The FBI says that phishing, ransomware and compromised business emails cost companies worldwide over $5 billion, making them extremely lucrative for perpetrators.
You can find a plethora of statistics around the internet about the prevalence of these types of attacks. The best defense against them is knowledge for yourself, your employees and your customers.
What can you do?
The best way to deal with a spear phishing email is to delete it and not interact with it at all. Opening and reading it shouldn’t be a problem. It’s when you start to click on the links or reply to it that bad things can happen.
Spotting a Spear Phishing Email
Hackers are counting on people lacking diligence when it comes to their email communications. It only takes a minute to verify that an email is authentic, yet many people don’t take the time to do it.
First off, look in the “From” line of the email. Hackers cannot create an email address if it already exists. If your CEO’s email is “firstname.lastname@example.org,” that exact email address has to be in the From line if the email is claiming to be from your CEO. Anything else and it will not have come from the person it claims to have come from.
With general phishing emails like the example below, often the From addresses aren’t even close to where they say they come from. A dedicated hacker sending out highly personalized spear phishing emails might take the time to try and create an email address that looks similar to the one it is trying to mimic.
If you are not sure that an email comes from a legitimate source, you can call or text that person directly to ask them if they sent the email.
If you only communicate with that person via email, you can start a brand new email to them asking them if they sent you the email you suspect might be fake. If you want to reference it, you can take a screenshot of the suspected email, but do not forward or reply to the email in question.
If you hover your cursor over a link in an email, somewhere on your screen (often in the bottom left hand corner) you can see where the link leads to. A link in a fake email will lead to an unfamiliar location that likely has no bearing on the real website it is trying to mimic.
These links will take you to fake sites where you will be prompted to put in your sign in credentials. That information will be captured by hackers and used to sign into your real account. From there, they will change the password and lock you out of the account. They may demand money to give you access to it again or they might use it to extort money some other way.Rather than clicking on any links, directly go to the site the email is trying to get you to visit by typing it into a browser window. In our example, the recipient could type Amazon.com into a browser, sign into their account and see if they actually have received a gift or rewards from Amazon. In this case, when the person signs in, they will see that there is no gifts or rewards waiting for them.
It is worth talking to your customers about how to avoid phishing and spear phishing scams because hackers might even try to use your company as a way to bait your customers into giving out their personal information and scamming them.
Also, it is just a generally good service to offer your customers, some of whom might not be internet savvy enough to look for the warning signs of a fake email. They will appreciate that you are helping to keep them safe in general online.
With some due diligence, anyone can verify an email to make sure they are not getting caught in a phishing or spear phishing scam. One other way to ensure you keep your insurance agency safe is to use an agency management system that puts a focus on security.
Evolution Agency Management software has been tailored to be flexible, easy-to-use and, most importantly, secure. Your customers’ data will be safe with Evo. Please visit us to book a demo today.