|
Spear Phishing is directed to specific targets, whether they are individuals or organizations.
It usually occurs via e-mail and aims to lead victims to disclose sensitive data or access malware. For the communication to appear reliable, attackers extract and use information available online, concerning the organization or people involved in the communication, therefore creating a false sense of credibility and security in the recipients.
Learn how to act to protect yourself:
1. Be aware of fake senders
|
|
Always analyse the sender of the communication your received, because there’s a chance that the communication has been tampered to look like a communication from a trusted entity, partner, or user
|
|
|
Look for subtle manipulations in the sender, such as replacing the letter “o” by the number “0”, the letter “w” by the Russian alphabet letter “ш”, or the use of the letter “I” instead of the letter “l”
|
|
|
Make sure that the top domains are the domains of the organization that sent the communication
|
|
|
2. Be thorough and think before you act
|
|
|
Reflect about what is being asked. In the event it involves any sensitive personal or professional information, never disclose such information via e-mail
|
|
|
Never make any type of payment, even if the request seems urgent. In a work setting, report and review this type of situations with the financial department of your organization
|
|
|
Validate the need for these requests made via e-mail by using an alternative mean, whenever possible
|
|
|
In case of doubt, do not follow the instructions in the suspicious communication and report it to the security team of your institution, avoiding risks
|
|
|
3. Step up your attention to content, software, and devices
|
|
|
Do not click on links, visit, or log into websites that are embedded in the e-mail body without making sure they are secure
(learn how in point 2)
|
|
|
Do not download attachments from suspicious e-mails to your devices. Malware can be attached under different formats and also as links, often from legitimate websites, because they are less likely to be blocked by the technical controls that are implemented
|
|
|
Keep security software of professional and personal devices up to date, therefore shielding them from a wide variety of threats
|
|
|
Update your credentials regularly and be strict about password quality, therefore decreasing the risk of your account being used to enable this type of attack
|
|
|
At the organizational level, implement technical controls for the inspection and filtering of e-mails in e-mail servers and endpoint devices
|
|
 |
|
|
