Targeted phishing is a malicious email attack aimed at a specific organization or individual in order to gain unauthorized access to sensitive information. Targeted phishing attempts are not usually initiated by random hackers, but are more likely to be carried out by attackers seeking financial gain, trade secrets, or military information. Similar to the emails sent in normal phishing attacks, targeted phishing messages also come from a trusted source. Phishing messages usually come from a large and well-known company or website with a large user base, such as Google or PayPal. However, in the case of targeted phishing, the source of the email is most likely someone from the recipient’s company, usually someone in a position of authority or someone the target knows personally. Many company employees are taught to be suspicious of unexpected requests for confidential information. They are also told not to divulge personal information in response to emails or click on links in messages unless they are sure of the source.
Person’s request has a logical basis;
The source appears to be known and reliable;
The information in the message confirms its authenticity.
Familiarity is what makes targeted phishing attacks successful. Attackers collect information via the Internet, social networks and social media about potential targets, including their personal and professional relationships and other personal data. The attacker uses this information to craft a personalized message that appears authentic to convince the target to respond to the sender’s request.
The sender may request a direct email response from the user, or the message may be fraudulent or contain a malicious link or attachment that installs malware on the target device. Clicking on the link or attachment directs the target to a malicious website designed to trick the target into providing sensitive information such as passwords, account information, or credit card information.
Social networks are fertile ground for targeted phishers. Hundreds of thousands of users regularly share personal information, making it an ideal place to gather information about potential targets. But not every user is a target for targeted phishers. Instead, bad actors seek information about high-value individuals. Typically, this sensitive information includes social security numbers, bank account passwords, and other elements of identity theft that provide the information the target phisher needs to access the targets’ accounts or commit crimes using their stolen credentials.
To identify valuable people on social networks, fraudsters use sophisticated machine learning algorithms that study text patterns and other details available on social networking sites. The technology narrows down the sequence of phishing targets to a subset of individuals that most closely match the type of target being targeted.
Once a subset of valuable targets is isolated, the attacker sends an email that is convincing enough to trick the target into opening an attachment containing embedded malware that collects personal information.
Targeted phishing techniques can be more difficult to identify than phishing attacks by impersonating personal data in messages that appear authentic. However, some characteristics common to phishing emails are also common to targeted phishing emails.
The sender’s email address is fake. The email address looks like it comes from a trusted person or domain, but a closer look reveals a typo or replacing one alphanumeric character with another that looks very similar to it, such as the letter I replaced with the number 1.
There is a sense of urgency, especially when it involves completing a task that is against company policy. Abusers create a sense of urgency to exploit the recipient’s desire to do good or help. For example, by impersonating a target’s line manager, an attacker can request a username and password for an internal application in order to fulfill an urgent request from senior management in a timely manner, rather than waiting for the information technology (IT) team to reset the settings. their password.
Poor grammar, typos, or improbable language appear in the body of the message. The content of the message is not similar to other messages from the purported sender. The tone is too informal, or the jargon is inappropriate for the recipient’s geographic location or industry.
Businesses and their employees can make it difficult for targeted phishers to successfully attack.
Do not click on links in emails.
Contact the sender of the message via a separate communication channel to confirm the request.
Limit the amount of personal information that is published on social networks and other websites.
Identify suspicious links by hovering over the link to verify that the URL matches the anchor text of the link and the specified email recipient.
Businesses should ensure that their security software, such as spam filters, anti-virus software, and other advanced threat protection and security software, is constantly updated.
Use analytics to evaluate at least 12 months of the company’s inbound email history. Analytics software inspects e-mail content, tracks suspicious e-mail traffic to specific users or user areas, and evaluates user behavior with e-mails. By looking at historical data, companies can determine how to improve security.
Security training for employees and managers can help reduce the likelihood of a user falling for targeted phishing emails. This training typically teaches employees how to identify targeted phishing emails based on suspicious email domains, links in the message, message wording, and information requested in the email. All company employees are also familiar with the process for reporting suspicious emails to the IT security team.
Security teams can create and present their own training materials or purchase training materials from vendors. The most effective security awareness training involves simulating targeted phishing attacks that allow users to practice their threat detection skills during a typical work day. Based on the results of these tests, security services measure the effectiveness of training.
An external audit is also useful, and most audit firms now offer social engineering audits that assess how internal employees handle critical information and IT assets. Due to the widespread use of targeted phishing and other types of malicious activity, it is advisable for the IT professional or security team to arrange for an independent audit firm to fund an enterprise-wide social engineering audit at least twice a year. An external audit will identify any gaps in corporate security and employee behavior so that vulnerabilities can be addressed.