March 24, 2017
We’ve all received phishing emails asking us click a link to reset our password, or to reply to an email with our login information to stop our accounts from being closed, etc. These emails are lazily sprayed to hundreds or thousands of people at a time, with the hopes that someone will reply, ensnaring another account they can use to spread more spam out.
What about when it is targeted?
Sometimes the attack is focused on a single individual, or a very small group of people with specific financial or executive roles. The attackers do their research: they find out the position of potential victim, research the company, and make very specific requests, usually for money transfers. This is known as spear phishing, or whaling, when it is targeting an executive. These attacks are much more difficult to catch, as they seem much more legitimate than the usual type of phishing email. They will frequently spoof the sender as someone from the same organization, usually asking for a quick money transfer to a vendor.
What to look for, and how to stop it
As most of these attacks are attempting to steal money, it is important when you get an email requesting a money transfer to analyze it closely:
- What method do they want to use to transfer the money?
- Most will use Western Union, or bank transfers in foreign countries
- What currency are they asking you to use?
- Frequently it will be in Euros, Pounds or Yen
- Is the sender using their usual email address?
- Often they will use a coworker’s name, but it will be from a Gmail, Hotmail, or other free email provider - be sure to check the reply-to
- Does the sender use their usual writing style/language in the email? Do they sign their email in their usual way?
- Is there a sense of urgency?
- Frequently they will say they need it right away; that a “deal” hangs on the money transferring quickly
- Are they available for more details?
- Often they will say they are in a meeting, or out of the country with spotty reception/Wi-Fi, and can’t reply to requests, pushing the urgency for you to complete the transfer
- Call the person on their University extension, or send them a new email (using their known work email address) separate from the money request thread asking for more details
- When in doubt, ASK
- Forward the email in question to infosec@uoguelph.ca [1], and the Information Security team can help ascertain the validity of the email/request.
Written by: Brendan Hohenadel (Cyber Forensics Analyst, Information Security)