They Know Who You Are
March 15, 2019
Nearly every week, we see cyber attackers target specific 51ÂÜÀò employees using personal information they find online.
Check out this video to see how a sophisticated attacker could attack an organization by targeting one employee:
Targeted Attacks
While some attackers send out large-scale phishing attacks, hoping that random, unsuspecting people will take the bait, other attackers make it more personal by targeting a specific individual or organization. We call these targeted attacks, or "spear phishing."
To target a specific person, attackers need to collect enough detailed information to either pose as or trick that person. They search the Internet for any information that you or your employer have made publicly available.
Here are some examples of personal information that attackers can find with enough research:
- Full name
- Email address
- Location
- Employer
- Job title
- Friends
- Interests
- Communication style
Targeting 51ÂÜÀò Employees
The most common targeted attack we see at 51ÂÜÀò is executive fraud, where the imposter poses as a trusted authority, and tries to trick someone into sending money.
Imagine getting this email from director at 51ÂÜÀò:
From: xxxxxxxxxx@biola.edu
Sent: xxxxxxxxxxxxx
To: xxxxxxxxxxxx
Subject: Get back to me!
Abbie,
I'll need you to initiate a wire transfer to a vendor today let me know if you are available so i can forward the beneficiary details immediately
Kind Regards,
This is a real email from an imposter impersonating a 51ÂÜÀò director. Abbie knew this director well, and the message seemed legitimate.
She immediately replied and asked for the payment information. Note the imposter’s response:
From: xxxxxxxxxx@biola.edu
Sent: xxxxxxxxxxxxx
To: xxxxxxxxxxxx
Subject: Get back to me!
Abbie-
Thanks for getting back to me. I'm having a busy day got series of meetings lined up. Below is the account information to the vendor, kindly do a bank deposit payment of $1,750. It's to cover for administrative expense. When you are done with the deposit do please send me a copy of the payment slip as an attachment. I send you a copy of the invoice for your record once my day ease up.
Vendor's Name: [xxxxxxxxxxxxx]
Bank Name: [xxxxxxxxxxxxx]
Account Number: [xxxxxxxxxxxxx]
Routing number: [xxxxxxxxxxxxx]
Account Address: [xxxxxxxxxxxxx].
Thanks
[xxxxxxxxxxxxx]If you’re being asked to send money or buy something, you should always confirm with the requester over the phone, or in person. By saying she was busy in meetings all day, the imposter created a sense of urgency, hoping that Abbie would neglect to follow best practice and confirm the request.
It worked. Abbie submitted the wire transfer.
Thankfully, the bank rejected the request, so no money was lost. It wasn’t until Abbie spoke with the actual 51ÂÜÀò director about the banking issue that we discovered the scam.
In this example, an attacker researched a 51ÂÜÀò employee online: her position (a director) and the contact information for someone who worked with that director. The attacker researched their business relationship (handling money transfers), and afterward the director reported that the email was written in her communication style, and sounded like something she would say. During our investigation, we identified the website the attacker had used to gather information about Abbie and the director.
What were the clues that flagged this as a scam?
- The initial request was vague and unprompted.
- The urgent “Get back to me!" subject line was intended to cause alarm.
- The communication has a number of grammatical errors.
- The attacker tried to get Abbie to act without further discussion.
Note: You may have noticed that the email came from an @biola.edu address. It looks like phishing, but in this case the attacker spoofed the email address. Email address spoofing is uncommon, but possible.
Your Best Defenses
Here’s how you can defend yourself against targeted attacks:
- Scrutinize email messages carefully. If anything about the message seems weird, it probably is.
- Pause before opening any unsolicited attachment or clicking a link to a website.
- When a trusted person emails you asking for money or information, contact them through a known phone number or in person to verify that their request was real.