Spear-phishers will ruin your life. Here's how to foil them
Many scam emails feel impersonal. The foreign prince keen to share his wealth in exchange for inconveniencing you with a bank transfer was also keen to share the opportunity with your family, accountant and the chatty chap behind the supermarket deli counter. You may have seen the same email shared on social media, along with a derisive, “Seems legit, LOL”. But hold off on that cavalier attitude: cyber criminals are coming after you—yes, you—with targeted precision.
The term to remember is “spear phishing”. This should not conjure up images of a bearded Tom Hanks marooned on a desert island. It is a hacker technique in which scammers send an email containing a malicious link to a targeted individual or group of individuals within an organisation. The email impersonates a person known to the recipient (perhaps a business partner, colleague or service provider), and is carefully crafted not to raise suspicion.
If the recipient clicks the link, the robbery starts. Your computer may be made to download malicious software that allows attackers to steal data (such as bank account details, credit card numbers and passwords). This can lead to immediate fraud. The stolen confidential information can also be the basis for further scams. Fake phishing emails are so authentic looking that they can appear to originate directly from Apple stores, bearing the same letterhead and communication styles that you have come to expect from the computer supplier. Other common ruses used by attackers include parcel delivery services, fake invoices and receipts for unknown purchases. All of these are designed to entice you to click on a benign-looking link, whereby a deceptive webpage will prompt you for your usernames and passwords.
At this point, the attacker will swiftly move through your digital life, dumping photos, correspondence and all manner of valuable data that may be used in further fraud or other unlawful schemes. In the worst case, an email attachment could be ransomware, a specific type of malware designed to encrypt everything on your computer or network. The attacker will then demand that you pay a fee to unlock what was once your data.
‘The point is not to live in the digital equivalent of Fort Knox. It is enough to be one of the least vulnerable targets in your neighbourhood’
The words to take note of here are “carefully” and “targeted”: these scammers are coming after specific people following chillingly precise research, checking out social media profiles and company websites to gain insight into their victim’s life. Without setting appropriate privacy controls, every post you make online can be used against you by professional fraudsters, even the seemingly mundane. That holiday you’re taking next week and haven’t stopped raving about on Facebook? This could be just the information a scammer needs to send you a malicious email regarding early check-in or advice on new flight allocations.
Spear phishing is the most commonly used form of these attacks, not least because of its success rate. Few people nowadays fall for random emails from generous-spirited Nigerian bankers. But they do not think twice when an email comes, purportedly from Sandra in sales, asking them to fill in a meal menu for the office Christmas lunch.
Typical cyber-criminals lack the smarts or sophistication needed to create advanced tools. But they don’t need to. For around $200, they can purchase or rent advanced phishing kits that automate the process for them, tricking users into giving up their valuable all-access credentials. The most rewarding targets are Apple iCloud services that enable users to access and manage their Apple products remotely. These are undeniably handy. But they are not just convenient for you—cyber criminals love them too. People store everything from emails, documents and photos in iCloud, and it all becomes available to a successful attacker. Minimal effort, maximum reward.
Popular crimeware kits such as AppleKit and Prokit are not only plentiful. They come with support programs that rival the kind of service customers might receive from legitimate online retailers. Buy one and you can expect your very own cyber-crime account manager, willing to help you tailor the tools and plan of attack to increase your chances of success.
To spare yourself from being speared, the simplest and most effective defence is to enable two-factor authentication (2FA). This will mean that to log into your important accounts, such as iCloud you will need more than just a password—you will also need a code, sent to or generated from your phone (you can print out spare codes and keep them in your wallet in case your phone battery dies). Enabling 2FA creates a huge extra level of difficulty for the attacker: it is no longer enough just to get the victim to click on a link and steal the password and login. Faced with that, most crooks will move on to another, easier target.
In addition to enabling two-factor authentication, you should ensure that all software, such as your computer and phone’s operating system, is updated regularly. Do not ignore those annoying messages: be grateful for them and follow the instructions (you can set your phone and computer to install updates automatically). Forget passwords: use an easier-to-remember “pass phrase” such as “I read Standpoint magazine 10 times a year”. Install an anti-virus or security package to ensure that your systems are regularly swept for any malicious code.
None of this guarantees total security. But as with deterring physical burglary, the point is not to live in the digital equivalent of Fort Knox. It is enough to be one of the least vulnerable targets in your neighbourhood.