Collin Burgess, IT Infrastructure Manager at MC Systems, explains “What they do is target persons who shop on-line, and send unsuspecting users email messages through an attack method, termed “Sphere-Phishing,” which is a targeted attempt to steal sensitive information, such as: account credentials or financial information from a specific victim, often for malicious reasons,” he explained.
Mr Burgess said the attackers disguise themselves as a trustworthy friend, or entity to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91 per cent of attacks.
“How you actually mitigate against this is most times non-technical. It will require for you to evaluate your email, scrutinize the spellings of the emails, verify the source of the emails, and read the content of the email,” he advised.
He also informed that users need to be careful when downloading attachments, which sometime have malwares that will infect their machine.
Mr. Burgess noted that attackers use information from social media platforms to acquire personal information to launch an attack. He said it is important that limited information be posted about you on these platforms, including emails and your workplace.
Other tips to safeguard against these attacks include:
Frequently update your software: If your software provider notifies you that there is a new update, do it right away. The majority of software systems include security software updates, which can protect you from common attacks. Where possible, enable automatic software updates.
Do Not Click Links in Emails: If an organisation, such as your bank, sends you a link, launch your browser and go directly to the bank’s site, instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text, or the email’s stated destination, there is a possibility that it could be malicious.
Mr Burgess said many spear-phishing attackers will try to obfuscate link destinations by using anchor text which seems to be a legitimate URL. “Use logic when opening emails: If you get an email from a “friend” asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email, or visit the business’ official website to see if they were the party who actually contacted you,” he advised.
Implement a data protection programme in your organisation: Your data protection programme should combine user education about data security and best practices. This data protection will also help to prevent data loss, due to spear-phishing attacks. For midsize to larger corporations, data loss prevention software should be installed to protect sensitive data from unauthorized access or egress, even if a user falls for a phishing scam.