You are viewing our site as an Agent, Switch Your View:

Agent | Broker     Reset Filters to Default     Back to List

Gone Phishin'

January 22 2016

phishing hook 1Talk about ironic timing! Just hours before helping run a webinar on data security, I got "spear phished" for the first time.

Like everyone, I've been "phished" before. That's when you get those annoying spam emails posing as, say, your bank or another trusted entity. They're generic mass emails that are sent to tons of people at once in the hopes that a few recipients will be fooled into sharing sensitive information like bank or credit card numbers.

Fortunately, they're pretty easy to spot--just hover over any link (don't click!) to see if the address points to the actual domain of the purported sender or to something suspicious like xxx.sh.123.2.ch (or something). Broken English is a common red flag, too.

What is Spear Phishing?

Spear phishing, on the other hand, is a highly targeted version of phishing (hence the name). Here, spammers know your name, they know your email, and the know the name of those you're connected to--and that's how they get you.

When targeting me, they posed as RE Technology's CEO, Victor. Because our name, title, and contact info is listed on RE Technology's site--a necessity for doing our job, by the way--the spammers were able to intuit enough about us to know that it was likely I would trust a message appearing to be from Victor.

Which I did, foolishly. The initial message was short, simple and included no weird links (that would immediately clue me off). Most importantly, it sounded just like a message Victor would send (and has, previously):

Subject: Office
From: Victor Lund

Hello Kelly,

Are you in the office now?

Regards,

Victor Lund
CEO/Co-Founder, RE Technology
Partner, WAV Group

Sent from my iPhone

The "From" field contained his name, the signature had everything right, and even the "Sent from my iPhone" was spot-on Victor. So I didn't even think about it when I replied, Yes.

That's when the weirdness happened. Within minutes, I received a short, simple reply that said:

I would like to know if you can send a wire transfer payment for me now, i am presently in the middle of a conference meeting now, please advise.

Victor was in a meeting; I could hear him down the hall. But I knew he would never ask about a wire transfer, so that's where things ended.

Have a Web Presence? You're at Risk, Too

As you can see, spear phishers exploit familiarity to lower your guard. After all, if you think you're communicating with someone you trust, you're more likely to be willing to give out sensitive information like passwords or account numbers.

Unfortunately, if you have an online presence--and you should, for the sake of your business--you're a likely target, too. Spear phishers use social media, your website, your brokerage's website, among other places, to research who you're connected to and your relationship in order to craft a targeted message.

While you may not be able to avoid these messages, you can avoid falling prey to a spear phishing attempt. Here are a few tips:

  • Check the sender's email address. I was fooled at first here because the sender's display name was "Victor Lund." However, the email address wasn't his. I didn't realize this until I later hovered over the display and the sender address was revealed. If the address doesn't match what you know to be the sender's email, disengage! Delete the message or mark it as spam.

  • Reach out and ask. Some spammers can "spoof" an email address to make it look like messages are coming from the correct person. If you're ever suspicious, don't hesitate to contact the real person by phone or text to verify. Better safe than sorry!

  • Never list client names online. Protect your clients' privacy by never posting their names on your website. The only time this is acceptable is when they've given you permission to use their testimonial on your site. If possible, abbreviate their last name (Dan and Sandra H., for example) for a bit more anonymity. Never, ever post their email or other contact information.

Remember, when in doubt, err on the side of vigilance. Asking never hurts--especially when compared to the risks posed to your finances and professional reputation!