Spear phishing: A cyber attack typically sent via an email message that appears to come from a trusted source and requests that the victim take some kind of action. The actual attack might be hidden in Web links in the email or in an attachment, and the sender likely knows enough about the intended target to fake messages that seem more real than spam. The goal: Collect personal information or information about an agency.
If this scenario sounds familiar, it should — these kinds of scams have been around for more than a decade. The FBI has been warning the public since at least 2009.
Presumably, savvy users — and savvy offices — have protections in place. But just as technology has improved, so have the techniques of nefarious actors. And no one is safe — not when the U.S. is accusing Russia and China of separately hacking major federal government installations, including the White House, the State Department and the Pentagon — all of which occurred just this year, the most recent a few weeks ago.
For the first set of attacks, experts told CNN they believed that the scammers obtained access to the account of someone in the State Department. That was enough to gain a foothold to send seemingly trusted emails to others in the government, and start seeding the attack. The breach was apparently discovered when the White House picked up on strange activity in a network that wasn’t classified, and codes seemed to tie the problem, via several servers, back to Russian hackers working for the government there.
The Pentagon shut down the entire email and Internet of their unclassified system for about two weeks in July, after that email system was hacked. NBC News reported that Russia was the likely culprit. There’s also been reports of terrorists, such as ISIS, using sophisticated spear phishing attacks against Syrian interests — and fears that energy providers globally may be next.
This is an example of a convergence of insider and outsider threats. Insider threats, both accidental and malicious, represent someone inside your organization who knowingly or unknowingly reveals information that can be used as an attack against your business. Outsider threats represent attacks from outsiders. In these spearphishing cases, an insider releases information, often unknowingly, that can be used by outsiders to lure others into an email trap.
The fix for this isn’t easy. It’s no longer enough to simply look for obvious scam notices from a Prince of Nigeria, or to warn employees not to download links from strange emails. Staff need to understand what they’re facing, what precautions they should take, and what to look for. It’s vital to understand the ties every vendor has, no matter how innocuous the person, the job, or their associations may seem. One person, with one page from an employee’s personnel file that was tossed in the trash, has the potential to throw a phishing line into your whole system.