On August 23rd, 2017 MacEwan University in Edmonton Alberta became the victim of targeted cyber-fraud. The method employed last month by a criminal organization that has yet to be identified is known as spear phishing. This attack is a targeted form of phishing in which fraudulent emails are sent to specific individuals in an effort to gain access to confidential information. Tactics include impersonation of a trustworthy entity and use of urgent language when requesting sensitive information or actions. The objective of spear phishing and phishing are ultimately the same—to trick people into revealing confidential information. McEwan University only determined it was the victim of such a security breach after discovering $11.8 million intended for one of the university’s major vendors had been transferred to a bank account evidently operated by a criminal cell.
The recent attack at McEwan raises a number of pressing concerns for the safety and security of both individuals and institutions in an age of cyber espionage, warfare and hacking. How can individuals protect themselves from spear phishing when even large institutions with complex and sophisticated security systems and procedures fall prey to cyber fraud? The first step, is to become aware of what spear phishing is and how to recognize it when you are its target. One of the most important technical points to note is that agents of spear phishing will often impersonate trusted senders, including banks and other financial bodies in order to extract personal information. It is vital that receivers of such messages authenticate the sender before taking any action, including replying to the e-mail which can at times make your account vulnerable to hacking. However, staying vigilant and discerning when it comes to your inbox is not always sufficient to guard against spear phishing attacks. Giants of tech and security are hard at work tackling this problem.
Among the most promising projects that aim to mitigate cyber-fraud and spear phishing are the plethora of emerging Artificial Intelligence (AI) systems on the market. AI is a unique and effective means of detecting and preventing spear phishing attacks primarily due to its ability to learn the communication patterns, signature characteristics and anomalous signals that indicate an attempted attack. While there are rhetorical trends, such as the use of urgency in messaging that the majority of phishers use to push their targets to reveal personal information, their tactics are always changing, evolving and improving. This is why it is so necessary that anti-spear phishing software have the capability to learn and adjust as the methods change.
Universities across North America are now on high alert for attempts to breach their security—this includes notifying students and faculty of the dangers and warning signs of cyber security attacks. Even in a digital age where New Media has largely eclipsed Mass Media—certainly in cultural significance, cyber security is still a foreign domain for many recreational Web users. The cunning nature of spear phishing is such that it capitalizes on this unfamiliarity and subsequent complacency. The first few e-mails will be harmless, they will establish your relationship to the sender, securing your assurance that it is someone you can trust. Then, the messages will begin to direct you to (for security or convenience or necessity) sign up on a new site or change your security passwords on an important account. Often the links provided will be convincing because they are exact replicas of existing and legitimate sites, but with a different URL (.com instead of .org for example). Ryder Davis of Heathrow Security. Notes "Unlike spam or virus-carrying e-mails, the content and messages of spear phishing attempts often don’t trigger security flags." There are no glaring spelling errors or African Princes looking for business partners and this is why spear phishing detection is difficult without the right software. We are committed to providing just that as well as the necessary learning to equip you for future attacks.
Here are some quick tips that you or your organization can use to better protect against spear phishing:
- Keep virus detection and system software up-to-date.
- Safeguard all computing IDs and passwords.
- Be wary of links and attachments in emails.
- Check source and destination email addresses before replying.
- Follow established business procedures carefully.
- Back up your data safely.
- Invest in high quality anti-phishing software.