Defending Against "Spearfishing"

Spearfishing is a highly targeted hacking technique cybercriminals use to steal sensitive information, such as financial data and customer information.

Unlike traditional phishing attacks that cast a wide net hoping to catch unsuspecting victims, spearfishing focuses on specific individuals or organisations.

Small companies are not immune!

SA Examples

A company associated with the MTA reported that hackers used LinkedIn to identify a person starting a new job. They sent this person a fake email – supposedly from the company’s bookkeeper – asking for full personal, banking and superannuation details.

The person had already supplied this information, so they became suspicious and the attack failed.

In another case, a spearfishing gang obtained the name and email address of the general manager of a SME. They sent a masked email to the company’s finance department, asking them to make a payment to a third party – which appeared to be a bank located in Adelaide. The email used language that business owners will often use when requesting their finance staff to make a payment.

About $30,000 was sent to the nominated bank account, which turned out to be a bank in Eastern Europe.

How It Works

By tailoring their attacks to appear genuine and trustworthy, hackers increase their chances of success. They typically conduct thorough reconnaissance on their targets. They gather personal or organisational information, such as names, job titles, email addresses or social media profiles, to craft convincing messages. These messages often appear to come from trusted sources, such as colleagues, business partners, or even friends.

Once the attacker has identified their target and gathered the necessary information, they will deploy various tactics to increase the chances of success. These may include:

• Email Spoofing: Manipulating the email header information, messages appear to be sent from a trusted source.Impersonation: Hackers may pose as someone the target knows or trusts

• Social Engineering: psychological manipulation to exploit the human tendency to trust and help others

• Malware: the delivery of malware can compromise the victim’s device and provide the hacker with unauthorised access.

Warning Signs and What to Do

1. Suspicious or unexpected emails: Pay close attention to emails that seem out of the ordinary or are unexpected. Check for any grammatical errors, strange email addresses, or requests that seem urgent or unusual. Be particularly cautious when emails request sensitive information, such as passwords or financial details.

2. Unusual links or attachments: Hover over links to check the URL before clicking and be wary of downloading or opening files from unknown senders.

3. Requests for personal or sensitive information: Legitimate organisations rarely request such information via email. If you do get a request, don’t click on links. Go to the company’s website and log in to your account.

4. Urgency: Hackers often create a sense of urgency or use high-pressure tactics to manipulate their targets into taking immediate action. Be sceptical of emails that demand immediate responses or threaten negative consequences for non-compliance.

5. Inconsistencies: Examples include mismatched email addresses, poorly written content, or unusual formatting.

6. Verify the source: If you receive an email or message that seems suspicious, independently verify the source before taking any action. Contact the supposed sender directly through a known and trusted communication channel to confirm the legitimacy of the message.

7. Educate yourself and others: Stay informed and warn others about the risks so you help protect your business and associates.

Remember, hackers rely on human vulnerability and the trust we place in our digital interactions. By remaining vigilant, you can greatly reduce the risk of falling victim to spearfishing attacks.