Phishing is a cybersecurity attack where the perpetrator pretends to be a trusted source through an email.  The thief may masquerade as your bank or your favorite place to shop and try to trick you into entering your username and password into their fake sites.  Phishing emails are typically sent to large number of recipients with the hope that some percentage will fall for the fraud.

Spear phishing is a targeted phish that is focused on posing as a trusted individual — your boss, a trusted vendor or partner, or an employee.  Criminals select an individual target within an organization, using social media and other public information—and craft a fake email tailored for that person.

Recently we’ve seen a targeted spear phishing attack that has fooled some local HR departments.  Here’s a copy of a recent email that shows an innocent request “I need to update my direct deposit info please!”

The attacker’s signature and email name indicate the message is from the employee Bob Jennings, but that Gmail account is not Bob’s email!  Unfortunately this one worked and the hacker was sent funds intended for the real Bob.  ☹

What can you do?

HR should err on the side of caution and verify the authenticity of any unexpected email by contacting the apparent sender via phone or face-to-face. Aside from this focused diligence, it’s vital to train all staff to spot potential phishing emails.

Training is best done through a phishing simulation campaign.  Advanced Data has solutions for sending out fake, but innocuous, emails to all staff to test their phishing savviness.  If anyone is duped into clicking on the fake links, then the action is reported and the employee is enrolled in a simple online training that will help them spot what they missed before.  We then periodically follow up with new phishing campaigns that mimic the latest tricks of the real hackers.  Let us know if you’re interested in starting your own anti-phishing campaign.

Stay safe everyone!