Spear Phishing in Workplace Email Accounts

by Christopher on June 19, 2011

Spear phishing, or targeted phishing, typically conjures up attempts by spammers to get user names and passwords that provide access to money, credit card numbers, or financial information. However, spammers who directly target employees in a company are often looking for more indirect benefits.

If not financial information, what might a Spear Phishing spammer be seeking? Sometimes, it’s deeper access into company files. Sensitive information obtained can be offered for sale to competitors. A list of your customers or clients can be compiled, complete with contact information, buying habits, and other private data. Company email accounts may be hijacked for use in sending more spam.

Often though, initial targeted phishing emails sent to workplace accounts are simply a first step to more sophisticated and devious phishing ploys. If a spammer can collect private information from company memos or other correspondence, he can create new emails that seem legitimate for what they know. The spammer can even use real company email accounts to send them. In addition, once one email account is made available to a spammer through targeted phishing, it’s likely the same spammer will have access to an entire directory of company email accounts with which to work. Now a spammer is ready to do real damage with further spear phishing efforts.

When an employee is successfully scammed by a spear phishing attempt, it can put the whole company at risk, jeopardizing private information that can be used in an array of nefarious ways. The personal or financial information of a company’s customers or clients may be betrayed, which is a violation of trust that can have serious legal and public relations ramifications.

Another often-unforeseen risk for a business successfully targeted by a spear phishing spammer is blacklisting and reputation damage. If company email accounts are adopted for originating outgoing spam, spam filtering technology will soon catch on. Some of the various spam filtering technologies keep track of email account activity to determine whether they are trustworthy points of origin. A spammer using business email accounts can get the company’s IP addresses or domain blacklisted as a spammer or otherwise identified as untrustworthy. The result is that legitimate emails from the company–many of which are undoubtedly essential to daily operations–will be blocked by the spam filters of the recipients.

While web-savvy employees are likely to identify many spear phishing messages correctly, spammers are getting more sophisticated and finding new ways to make their scams appear more legitimate. This is an increasing concern as more businesses avail themselves of social networking tools and websites that can be studied and even hacked for useful information. All it takes is one employee to fall for one targeted phishing attempt. From there, the effects can easily snowball.

Smart companies are educating all employees about the risks of spear phishing, but because of the dangers and because all it takes is one slip-up on one person’s part, there is mounting pressure for companies to simply prevent phishing spam from ever reaching their employees’ inboxes. Sophisticated filters that use a variety of methods to identify spam are no longer just a way to save aggravation, time, and money; in today’s spam climate, they are a crucial security investment.

Posted in: Phishing

Previous post:

Next post: