We’ve all seen the easy-to-spot phishing emails in our Inbox from time to time. They arrive unexpectedly, are often laced with errors, and more likely than not give way to quick suspicion. Phishing emails are cast by criminals using a wide net. They are spammed out to recipients in bulk, thousands, if not hundreds of thousands at a time. They work because a very small percentage of users “act” upon the request found in the emails by clicking, downloading or filling out forms designed to steal information.
Spear Phishing emails are the inconspicuous inverse of the common phish. They are distributed not in batches of hundreds or thousands, but often in a carefully crafted singular message. They work because they are highly targeted to the recipient with detailed information designed to obscure their corrupt intent. Spear Phishing attacks can be particularly harmful to organizations and institutions. While W&L does have threat intelligence solutions in place to help thwart spear phishing attempts, employees and students are the primary front line defense.
The Detail of Publicly Available Information
Colleges and universities are a frequent target of spear phishing attacks. They’re particularly vulnerable because a significant amount of detail about a university is easily accessible online. Department names, job titles, calendar events, and important initiatives are readily available and can be mined from website and social media accounts. W&L is no exception to this fact. Spear phishing emails may contain unique bits of detail, like colleague names, buildings, classes, and schedules. This specificity often gives the attacker enough validity to convince the recipient to click a malicious link or open an attachment containing malware.
Spear Phishing Attacks Can be Event Driven
Criminals may use dates and events tied to an organization to “time” their attack. W&L employees and students should be aware that messages associated with the COVID-19 response, spring break, graduation and the university naming decision are all potential events that attackers could use to trick a recipient in a spear phishing attack.
How Can You Help Prevent Spear Phishing Attacks?
- As a baseline, never click links in suspicious emails. Simply knowing that spear phishing emails are designed to minimize suspicion can keep you cautious and aware.
- Always report suspicious emails to the ITS Helpdesk.
- If you’re unsure about a link in an email, call the sender to verify.
- Be aware that publicly available information about you and the university can be used in a spear phishing attack.
