Oct 27 2005
Spear Phishing
Unluckily, I’m not surprised to hear that targetted phishing attacks are starting to become more commonplace. The goal in the average phishing attack is to send hundreds of thousands of emails out, hoping that there are one or two people out there who are gullible enough to take the bait. With ’spear phishing’ the attacker learns enough about the target that an email can be sent that looks like it’s official and from a trusted source. One of the targets of this type of phishing is usually usernames and passwords.
I’m willing to bet that this is really nothing new. I’m sure industrial espionage has been performed via company memo for decades. Why risk going to a company to steal the secret formula when you can just send a memo on company letterhead asking the target to send you the formula.
This is one more reason that end user education is so important. Most people already know better than to give out their password, but there are always going to be one or two people who are going to think to themselves, ‘This is different, it’s official this time.’ But it’s not; we, the IT folks, should never ask for a username/password. And if you catch one of your people doing this, remind them why we shouldn’t.