Spear phishing emails are highly effective and have been the cause of many successful hacking attempts. Unlike a regular phishing email that could be sent to thousands or millions of recipients, a spear phishing email is created to target just one victim. And if that victim falls for the bait, there is a good chance that they will turn over valuable information including network user accounts and passwords or confidential information such as bank account login credentials.
In an interview over at Business Insider, Ray Boisvert a professional ethical hacker for hire tells how he creates spear phishing emails.
He would scour LinkedIn looking for the least cybersavvy (company) employees, such as those who work in nontechnical areas and new hires unlikely to recognize an atypical email.
The infiltrator will then try to guess the employee’s email address by learning the format of a typical address for that company (e.g., [email protected]) and sending out messages repeatedly until they stop bouncing back.
After attaining the victim’s email address, the hacker looks to social media to learn as much as possible about his target’s professional background, friends, and general interests.
In this way, he can customize the phishing email as much as possible — even posing as one of the victim’s closest friends (profile picture included) — to make it look familiar and increase the odds that the target will trust it.
Clearly social media is a treasure trove of valuable information that can be used to help create spear phishing emails. Make sure your employees, customers, family and friends understand how these email are created and targeted at individuals. Steps to help prevent phishing scams include:
- Minimize the amount of information shared on LinkedIn, Facebook, Twitter and other social media sites
- Raise awareness of what phishing emails are and how to spot them
- Instill some fear or concern into employees, family and friends so they will at least question the validity of emails