With whom do we have the pleasure?
I am Peter Peters, Security Manager at the university for a couple of years now. I am also the coordinator for the Computer Emergency Response Team. I have over three decades of experience with email and the things that can go wrong or how it can be abused.
I am especially worried about spear phishing these days. Everyone seems to know about normal phishing, even though not everyone seems to recognize it all the time. Spear phishing is more hideous as it abuses more information than just the email addresses the phishing is sent to.
What is spear phishing?
Spear phishing is a highly effective way to get access to the university’s network and the data stored there. As the word suggests, it acts like a spear in attacking the university and its employees and students. Whereas a normal phishing attack is like a shotgun.
Normal phishing attacks depend on the number of emails. Even if only 1% of people respond to phishing when sending out thousands of emails there will be several potential victims the attacker can abuse. The disadvantage of a normal attack is that they get reported, for instance to the university’s Computer Emergency Response Team (CERT-UT, firstname.lastname@example.org, internal phone: 1313). When CERT-UT knows about a phishing attack, it can take measures to prevent (further) abuse.
With spear phishing, the attacker aims to be discreet to prevent triggering those measures. The attacker cannot rely on the number of email messages any more. So, he must come up with methods which increase the response. The best way to do that is to become personal.
What do you mean by personal?
The attacker will try to get a personal connection with the victim. The simplest way is to use your name in the email. Instead of just “Dear employee”, they will use your first and last name. Research shows this alone increases the chances of the attack succeeding by 50%.
Their chances increase even more when they include more information or refer to people they know. They usually claim they know them too. Perhaps they even claim that a “mutual” colleague referred them to you after meeting at a conference.
The attacker will investigate you and the people you know. They know which conferences you visited, perhaps even which people you met. You know how much information is shared on social media. They try to find out which conferences those other people attended that you did not. Perhaps even read papers written by those people that are of relevance to you.
Often, they do not even direct you to a phishing site right away. They will try to start a conversation with you. Perhaps even connect to you on social media sites like LinkedIn. Once you trust them, only then will they will lure you to a phishing site.
I don’t write papers or visit conferences. My professor is the one visiting conferences. Does spear phishing still concern me?
Yes, it does.
Because you think you are not of interest to attackers, you are more prone to being targeted. Once the attacker has targeted you, they can use the information they got from you to target your professor. If you fall for their phishing, they can use your account to send spear phishing messages to your professor. Even if they do not fall for a link from an outside party, they might fall for a link “you” sent them.
What can I do to prevent spear phishing?
You yourself cannot stop spear phishing.
You can however get better at detecting an attack. The university has prepared training material that is important to check. Have a look at https://securityeducation.utwente.nl/.
If you notice an attack or something else that looks strange, please contact CERT-UT. They can help prevent the same kinds of messages from reaching your colleagues and students next time. They will also warn other recipients who might not yet be aware of the attack.
What if I fell for a spear phishing?
The first thing you need to do is change your password. If the attacker has access to your account information, they can launch an attack when you are doing other things.
The next thing to do is warn CERT-UT. Provide them with as much information as possible to better make them do their job.
I use Multi-Factor Authentication. Shouldn’t that make me safe?
It will make you safer.
It can, however, not make you 100% safe. As defenders take measures to prevent attacks from succeeding, attackers find new ways to circumvent those measures. Or take a completely different approach.
That is why you yourself need to be vigilant too.
Where can I get more information?
Check the Cyber Safety website.
If you still have questions you can always contact CERT-UT. If they can’t help you, they know who can.