Diving into Spear Phishing: Learning how to spot a scam
Recently, we were able to coordinate our busy schedules (no easy feat!) and come together as a team for a dynamic training session with Cyber Griffin, City of London Police’s initiative to support businesses and individuals in the Square Mile to protect themselves from cybercrime.
Our session, focused on Spear Phishing, was run by Tom, an experienced Detective who had expert insight on this type of crime and the criminal structures that it takes to perpetrate it successfully.
As we learned, Spear Phishing is where a cybercriminal is deliberately attacking a specific person or business and has crafted an email containing personal information to make them click. Information about the victim can be obtained from platforms such as social media to make the scam more convincing.
Sounds pretty scary, right? But don’t worry – there are ways to defend yourself and your business against these types of attacks. Through awareness and training, we can ensure that these attempts, rooted in the principles of social engineering, are caught before they have a chance to progress.
Just read on and we’ll tell you how!
Uncovering the Crime
Without giving away too much (no spoilers please!), the session focused on a real-life case study of an investigation that Tom himself had been a part of. This gave our team the unique opportunity to get a peek behind the curtain of an incredibly dynamic, global-scale investigation, as well as gain a better understanding of the emotions and passion of the law enforcement officers whose job is to bring these criminals to justice.
The investigation was sparked by a simple Tweet, alerting a named business that one of their high-level executives may have fallen victim to a phishing attempt. From here, it was discovered that the staff member’s email login information was part of a huge online data dump, suggesting that there were potentially thousands of victims in this case.
Police were able to connect with another potential target through the information found in the data dump, and learned that multiple businesses had already lost money to the scammers as they’d been sent convincing invoices with time-sensitive bank transfer requests that eager personnel had happily satisfied.
Throughout the session, we were challenged to think about what we would do in a similar situation – how would we react, who would we believe, and when would we report the incident to law enforcement?
The criminals had used a variety of legitimate business tools to build their enterprise – the invoices looked “right”, the servers and software were the same as most organisations would use – there were very few obvious clues that anything was amiss, particularly if you’re not trained in what to look out for.
“It’s made me think differently about how I approach online security and made me examine my own assumptions about what a suspicious communication looks like.” - Tierney, Marketing Manager
Targeted at Random?
It’s important to note that these seemingly random attacks can actually be highly targeted, with the criminals investing a lot into research as well as legitimate tools which boost the likelihood of success for their operation.
Tom showed us how the phishing gang had used credit cards to purchase a list of leads, something that many sales-focused businesses do regularly and therefore not hugely suspicious in itself. They could then go on to use social networks to investigate the group of people that surround each target on the lead list, giving them greater insight on who their target might regularly interact with, and therefore who they would be most likely to accept a request from.
The target email account having been successfully infiltrated, the perpetrators could then use this trusted email address to ask for funds via bank account transfer, a technique which ultimately netted them millions in stolen funds.
What we’ll be doing differently in future
One simple strategy we learned about that can help to protect organisations against this type of attack is called an “I will never list”.
“Definitely an eye opener! It shows how important it is to report these things, as every little report can lead to something bigger, which is why we go around reminding people to report.” - Hannah, Customer Relationship Manager
An “I will never” list sets expectations out upfront, so your colleagues and employees will immediately spot red flags when they pop up. It serves to clarify your processes and personal behaviours, so that your colleagues will know when a request is out of character and can then stop any phishing attempt in its tracks. It also means that you can’t be manipulated by any AI-driven deep fake technology, which may very convincingly emulate the style of writing or even voice of high-level contacts withing your organisation.
So, what’s on our list? Well, that would be telling! But it might say things like:
- I will never ask for transfers over £X without prior discussion
- I will never ask you to use your own money or credit cards for business purchases
- I will never call you by anything other than your first name in emails
How to protect yourself against a Spear Phishing attack
In addition to the “I will never” list, there are some simple checks that you can undertake yourself with any suspicious email that enters your inbox:
- Verify the email address it was sent from.
- Look out for minor spelling differences such as the subtle change of an o to 0.
- Call the sender on a known, reputable number, not the number in the email.
- Use privacy settings on your social media channels.
Remember that it’s always better to be overly cautious than to regret any inattentiveness after the fact!
You can also catch up with our webinar on how to protect yourself against phishing here for practical, actionable advice that you can put in place today.
Staff Training from Cyber Griffin and CRC for London
As well as training sessions like the one we attended, Cyber Griffin also run regular Baseline Briefings to help you keep abreast of the latest threats.
We found their insight incredibly valuable, and our staff said, “it was a good balance between interaction and explanation” and “it increases our knowledge and improves the way we deliver it to the community” - so we’d definitely recommend!
You can find the event schedule and book your place here.
The Cyber Resilience Centre for London also provides Security Awareness Training sessions through our Cyber PATH student initiative. Just get in touch for more information.