According to threat intelligence firm CloudStrike, Chinese cyber spies have been targeting think tanks, ostensibly to obtain information on the potential disruption of Chinese oil interests in Iraq. Spear-phishing, the act of sending an e-mail tailored to a specific individual (as opposed to e-mails sent out en masse to many different individuals, which is simply “phishing”) to fraudulently induce them to give away personal information such as their e-mail password, is hardly a new tactic; nor is the Chinese government the only group which has been accused of using it. In February 2014, the Syrian Electronic Army hacked into Forbes using the same tactic. In many cases, the true perpetrator of an attack is unclear, especially when Internet traffic is routed through the accused country.
I’m going to leave the finger-pointing to governments and the private firms that investigate such attacks. I will instead focus on how you can protect yourself against such attacks. While it is commonly used against government officials, large corporations, and political activists, spear-phishing can also be used by single criminals against private citizens. Late last year, a man was jailed for stealing £393,000 from 238 UK students.1 Thus, you do not have to be a public figure to be a target. Here are some tips on how to recognize and prevent phishing and spear-phishing attacks:
1. Use bookmarks to access sites that you visit regularly. For example, if you get an e-mail notification from someone claiming to be your bank, don’t click the link. Instead, go to the bank’s site from your list of bookmarks. This way, you can ensure that the link you are using isn’t a fake page designed to steal your credentials.
2. Watch for e-mails that are designed to exploit human emotions such as fear, guilt, pity, or curiosity. The emotion can be used to distract or induce you into clicking a link where you are asked to enter your credentials.
Example 1 (curiosity): An actual natural disaster (e.g. typhoon, earthquake) has hit. Here is a link to some pictures.
Example 2 (fear): Your credit card has just been charged $1700. As a precaution, your bank account has been locked to protect against further fraudulent charges. Click here to confirm your information so your account can be reactivated.
3. Look at the timing of an e-mail: Did you request the information that was just purportedly sent by your friend? For example, if you just walked out of a meeting in which a trusted coworker told you to expect an e-mail with a link to a specific article in 5 minutes and you actually get such an e-mail, then it might be legitimate.
4. Know how to read a link. Before clicking a link, hover your mouse over it and make sure the site is legitimate. Always look for the highest-level domains. If your browser shows “http://”, then the highest-level domains are the groups of characters (separated by periods) immediately before the third slash. For example, in the following URL, the top-level domain is “com,” and the second-level domain is “nytimes“.
If you see a URL where the supposed sender’s URL does not match the top-level domain of the legitimate website’s URL, then it is probably a fake.
5. Keep your identities separate. If you are an individual, this is pretty easy. Just use different e-mails for different services. For example, you can use different e-mails for iTunes and for Amazon.com shopping. If using a different e-mail for each specific online service is too much trouble, you have two options: First, you can use a password manager to help you remember all those e-mails; just make sure you sign in every now and then so your e-mails don’t go inactive. Your second option is to organize services into logical groupings. For example, you might use one e-mail for school, one e-mail for work, and one e-mail for anything that involves using your credit card online. These options are not mutually exclusive.
A company or other organization may be able to prevent spear-phishing attacks by using an internal list of e-mails that are not shared with the outside world. To communicate with everyone outside the company, employees can use a different set of e-mails; e-mails that may be shared publicly. Thus, when spear-phishers research their target, they are likely to use the public e-mail instead. If such a system is in place, employees can safely assume that any messages received on the publicly shared e-mail that purport to be from a coworker are fake.
What benefits does separating your identities confer? Suppose you receive an e-mail claiming to be from your bank, but the e-mail was sent to your work e-mail. Since you never do any banking on that e-mail, you will immediately recognize the e-mail as a fake! In a sense, phishing is just another type of spam. Just as you can prevent getting spammed by not giving out your e-mail to certain people or organizations, you can prevent phishing the same way.
6. Verify the sender’s identity and intent through another verified channel before clicking any links or opening any attachments, or reply to the e-mail; e-mail is not a verified channel in many cases because you have no way of knowing who the sender is. For example, call your bank at a number you know to be correct (e.g. on the back of your credit card) when you receive an alarming message purportedly from them, or call your colleague to ask if they sent you that strange e-mail.
It isn’t enough for the sender’s e-mail to be legitimate. The sender could have spoofed their e-mail to match that of one of your trusted contacts. If you know how to read e-mail headers, you might be able to catch a spear-phishing e-mail this way. However, reading headers is not a foolproof method because the contact’s computer could have been hacked and the e-mail could have been sent while the computer was remotely controlled. In such a situation, even the e-mail headers would appear legitimate. It’s best just to call your contact or knock on their door.
7. Limit how much information you share about yourself or your organization online. In other words, limit your digital footprint; I blogged about this earlier. The more information spear-phishers have about their target, the easier it is to make their message appear genuine.
8. E-mail is not the only way phishing can be done. I posted about vishing previously, which involves fraudulently obtaining personal information over the phone. The weakest link is often the human, rather than the computer.
1. It is debatable whether this attack was specific enough to be a spear-phishing attack. Some definitions of spear-phishing include the targeting of groups, while others say that it targets an individual or a department within an organization. For the purposes of this post, the level of specificity is not terribly important; the tips I provided still apply.