Small Business Attack – Spear Phishing
Imagine that you own a company. You are responsible for the financial lives of hundreds of people. If you make a mistake, you may have to let some of them go or, worse, lose the entire company and put them all out of a job. This fact doesn’t really keep you up at night, but it is a valid concern, so when you receive an email that reads:
“High Priority: Subpoena issued for YourCompany in case against YourClient”
Naturally, you’re a bit concerned as you do a lot of business with YourClient, and you open the email. Inside, you see your name, your business’s name, your address and phone number and a brief explanation that there is a disagreement between two of your clients and you have personally been asked to court. Then there is a link at the bottom that reads:
“For more information and to schedule your appearance at the trial, please click here.”
You’re probably going to click, aren’t you? After all, if you don’t show up, you could personally be found to be in contempt and in either case, your business will be impacted. It would make the most sense to click the link, get all the information you need and then call your lawyer, right?
Well, bad news. You’ve been spear phished. Some attacker found your information online and constructed an email filled with completely reasonable information all in an effort to fool you into clicking on that link. Sadly, now that you have, odds are that someone on the Internet has your passwords, access to confidential documents and yours (and possibly the company’s) bank accounts. Worse, this information is in the hands of someone that knew you well enough to hand craft an attack against you, so odds are that the information is going to be used.
This is the problem with spear phishing. It’s targeted to high-profile people. Odds are that it won’t get picked up by anti-spam filters, as it is designed to look completely legitimate. It also won’t pass by the security people’s view, as there are likely people who get email so confidential that even the security people can’t see it.
So, in effect, this is a threat that bypasses all of our checks. What are we going to do about it?