When people think of phishing, they tend to think of poorly written emails promising a large inheritance in exchange for bank account information. Attackers are getting smarter though – they know exactly who their target is and put in the time to research them, scouring the internet for information that enables specifically tailored phishing emails known as spear phishing. Some of the information they look for includes employee personally identifiable information (PII), who the target reports to, their job responsibilities, their purchasing authorization, personal details from social media, etc. and, more often than not, that information is readily available online.
Phishing operations can take many different forms. Here is just a sampling of some examples I have seen in the real world and the lessons we can learn from them:
Example: The bad guys load up a PDF with malware. They spoof the sender’s email address to look like a legitimate contracting firm and then – and this is very smart – send that email to business development, whose job revolves around opening and responding to these types of PDFs (an RFP in this instance). Because business development sees these types of emails all the time, they open it without a second thought.