This article, part of Penn State’s ongoing Secure Penn State series, explores the growing threat of spear phishing as well as tips on how to protect personal and institutional information from these scams.
As cybercriminals seek new ways to steal personal and institutional information, it’s important to understand how to protect yourself from these increasingly sophisticated tactics. A growing trend in cybercriminal activity is spear phishing, a newer breed of phishing scam that uses personalized, corrupted emails to gain unauthorized entry into an organization.
What is spear phishing?
Unlike traditional phishing scams that might be sent to a large group of unrelated individuals, spear phishing scams are highly targeted and personalized to one person or a few people who share a connection, such as working in the same office.
According to Richard Sparrow, the acting security operations manager of Penn State’s Office of Information Security, spear phishing is particularly dangerous due to the patience and attention to detail hackers invest in these scams.
“Spear phishing usually consists of a really well-crafted message after the hackers have done social engineering and research,” Sparrow said. “They usually study an individual or organization enough to know that if they send an email focused on a particular topic, that individual or one or more members of an organization are going to take the time to look at it.”
According to Sparrow, phishing techniques have come a long way since the well-known scam of a foreign prince trying to initiate a funds transfer. By using publicly available information online (for instance, social media accounts), hackers might spend months monitoring a group of individuals in order to collect data and craft a highly convincing message.
“If hackers know somebody went to a conference, they might send an email saying ‘It was nice meeting you at the conference. Here's that follow up information,’ and they'll attach a PDF document,” Sparrow said. “The problem is, the PDF document might have an object embedded in it that causes the computer to become infected with malware when opened.”
By attaching corrupted files or including links to malicious websites via these fraudulent emails, hackers can infect systems with malware and viruses that can steal your personal information while also putting an entire organization at risk.
For example, in 2011, the security firm RSA fell victim to a spear phishing attack when a targeted group of employees was sent corrupted email attachments titled “2011 Recruitment Plan.” When one of the employees opened the corrupted file, cybercriminals leveraged an undetected software vulnerability — also known as a zero-day exploit — to steal valuable information from the organization.
“Once these criminals gain access to an organization, they can watch an employee’s email and see if that person communicates with any other people of interest,” Sparrow said. “Then they can pivot and work their way up the chain until they get to whatever they need to accomplish their goals.”
How to protect yourself
There are a few steps you can take to protect yourself against spear phishing scams, according to Sparrow.
If you receive a suspicious email, your first course of action is to report the incident to the Office of Information Security.
Sparrow also suggests asking yourself, “Was I expecting this file from this sender?” before downloading any email attachments. It never hurts to confirm an attachment’s legitimacy by calling the sender or a company representative, but avoid using contact information provided in the suspicious email as these may be owned or compromised by cybercriminals.
Additionally, avoid clicking on any links included in an email. Instead, hover your cursor over links in order to see where the URL directs to.
Sparrow also stresses the importance of using security features like two-factor authentication (2FA) on personal and Penn State accounts to prevent cybertheft or account compromises. This added security measure helps avoid the possibility of unauthorized access to your accounts, and it can help minimize damage if you do fall victim to a spear phishing scam.
While Penn State requires all faculty and staff to use 2FA to access sites protected behind WebAccess, you’re also encouraged to use the service on other online personal accounts for added security.
You should also enable other security features like antivirus software and firewalls, which Penn State students, faculty and staff can download for free on personal and University-owned computers.
Be sure to keep these security features as well as your operating system and third-party software like Adobe Flash, Java and internet browsers up to date, as older software is more vulnerable to being exploited by cybercriminals.
Lastly, create strong and unique passwords for each online account. In the event one of your accounts becomes compromised, using unique passwords can prevent cybercriminals from gaining further access.
For more information about cybersecurity at Penn State, visit the Office of Information Security’s website. For tips on creating strong passwords, boosting mobile security and backing up data, visit Penn State’s Online Safety and Security website.