Spear phishing is incredibly commonplace. As many as 90 per cent of targeted cyberattacks begin with a spear-phishing email. And given the way that spear-phishing works, that's not surprising.
Social engineering techniques used to track victims include email, social media, SMS and other messaging apps, so there is a level of trust involved because we all think we're at least relatively careful with the kind of information we share with the world… but are we careful enough?
Accidental data sharing
Last year the average amount of time people spent on social media each day was 144 minutes. If you have a smartphone, check your screen time settings - chances are, you spend even longer scrolling through Instagram, chatting on Facebook Messenger and other social media platforms.
By sending a tweet, posting an online photo, or participating in harmless social media discussion, you could be sharing more data than you bargained for, including:
- Location data (tagged location, GPS location, time zone and Bluetooth signal)
- Personal details (name, birthday and photo)
- Employment data (co-workers and previous and current jobs)
- Contact information (email and phone number)
- Social media habits (frequency of use, interests and interactions)
What can attackers do with my data?
All attackers will have an intent behind their phishing activity – often to steal and sell your data, but those using spear-phishing are looking to be more targeted – they want to steal your identity, and then use it to target your friends, family and colleagues further or use it to extort you.
The sophistication of these attacks means more people fall prey to these kinds of activities, even if they are somewhat savvy. And it's an easy mistake to make - they're incredibly targeted – 77 per cent of attacks target ten mailboxes or less, while one third (33 per cent) targeted just one mailbox.
Attackers are incredibly smart when it comes to the tactics they use to get your information in the first place. They may pretend to be a person or company you trust – Australia Post, Apple, your bank, a shop you buy from, your employer, your university alumni.
It's easy to fall for their tricks
Paypal, Amazon and Apple are three companies that attackers regularly use for spear-phishing activities.
How often do you see an email from one of them asking you to reset your password or follow some other kind of direction or risk having your account shut down? Given that many of these emails have the marks of a legitimate email – logo, URL (likely masked), name, footer information, etc. – it's easy to get duped.
So how do you avoid getting caught out?
There are many things you and your team can do to avoid getting caught out by a spear-phishing attack:
- Always be aware: keep an eye out for anything that looks suspicious in an email or text, and ask your staff to do the same – common ways to catch out scammers include fake domains and bad spelling and grammar
- When in doubt, do not click: if an email, text, or attachment does not look right, don't click on it. Alert your IT team and let them look for you to determine if it is a malware or a virus
- Avoid sending personal information: if you are asked by a company to reply to a text or email with personal details, it is probably spear phishing. Genuine companies will rarely (if ever) ask for this information, instead of prompting you to log in to a website or app or giving them a call
- Use a password manager: not only do password managers take away the pain of remembering every password, but they can also detect websites that have been set up for phishing attacks – if a site is unknown or a fake domain, they won't prepopulate your information, which will be a flag that something isn't right.
- Be aware of your privacy settings: it's essential to always stay in control of your privacy settings by choosing what information you share, and who gets to see it.