Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a small, select number of people. Spear phishing emails are realistic and often appear to come from people you work with.
These emails often create a sense of urgency, demanding you take immediate action and not tell anyone. The cyber criminal’s goal is to rush you into making a mistake. Here are three common scenarios:
- Wire Transfer: A cyber criminal will research an accounts payable person or team for an organization. They will then pretend to be the target’s boss and request an emergency transfer of money.
- Tax Fraud: Cyber criminals will research employees who handle employee information, such as human resources. They will then pretend to be someone from legal and try to obtain documents containing employee information. This can be used to impersonate employees for tax fraud.
- Attorney Impersonation: In this scenario, criminals start by emailing you pretending to be a senior leader, advising you that an attorney will call about an urgent matter. The criminal then calls you pretending to be the attorney. The urgency created over the phone may trick you into acting a certain way.
Quiz question
Scenario: Your boss emails you and asks for a one-time wire transfer to a new account to pay for an overdue invoice. It needs to be done ASAP. What should you do?
A. Double check that it’s your boss’s email address before sending the money
B. Reply to the email to get more information
C. Call your boss at a trusted phone number to verify that it is legitimate
Answer: C is the only right answer.
Protecting Yourself
Common sense is your best defense. If you receive a message from your boss or a colleague and it does not sound or feel right, it may be an attack. When in doubt, call the person at a trusted phone number or meet them in person (don’t reply via email) and confirm if they sent the email. Never bypass security policies or procedures. Requests that attempt to bypass those policies, regardless of their apparent source, should be considered suspicious and be verified before any action is taken. If you receive such a request and are not sure what to do, contact your supervisor, the help desk, or information security team right away. Don’t forget about our new tool in Outlook that allows you to immediately report a suspicious email.