Friday, December 19, 2008

"Spear Phishing" - New and Improved Spam

Maybe "improved" isn't the right way to describe "spear phishing," a new and personally focused sort of spam.

CNNMoney described this new wrinkle in annoying (and possibly dangerous) email: "Unlike traditional spam, most of which is blocked by e-mail filters, personalized spam, known as 'spear phishing'" messages, often sail through unmolested. They're sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed Web sites that are bogus or immediately install malicious programs...."

These messages could look legitimate, since they may include personal data that the spammers have mined: like where you went to school, your mother's maiden name, or where you do your banking.

Part of the idea is to trick business owners into, for example, giving data about their

  • Google (or other) advertising accounts
  • Bank accounts
There's even something called "whaling," where an email to an executive claims that the business is under investigation by the FBI. I suppose that a panicked exec might be less than cautious.

How to Avoid Being Spear Phished

It boils down to three words: Don't be stupid. "Imprudent" might be a nicer word than "stupid."

There is pretty good advice in several places: including Microsoft and SANS Technology Institute (Which refers back to Microsoft's resource).

Some major points I found are:
  • Don't send sensitive information in response to an email - no matter who seems to have sent it
    • Call (don't email) the presumed sender, to make sure the request is legitimate
    • 'Trust, but verify' applies here
  • Don't click links in an email that asks for personal or financial information
    • Never
    • SANS T.I. says to put the Web address in your browser window instead - Microsoft has some advice about how to avoid bogus URLs

It Couldn't Happen to Me - Five Dangerous Words

I've been spammed, and phished, and fielded quite a few bogus phone calls. The experience has given me an appreciation for how easy it is to get fooled. One of my kids has called me "paranoid," for the way I insist on verifying a message before believing it. Much less responding to it.

Well, maybe so. I prefer terms like "cautious."

In the news:

No comments:

("Following" list moved here, after Blogger changed formats)

Small Business Watchers