How to Avoid One of the Biggest Email Hacking Threats
You might have heard of something called "spear phishing." It's an attempt to hack your computer or your accounts, or to con you out of money, by using an email message that's tailored to you or your company. A phisher piques your interest with a conference invite, resume or invoice. But it's a ruse to get you to provide sensitive information such as passwords, click on an infectious attachment or website link, or participate in a shady deal.
These personalized, deceitful messages can be crafty and believable enough to slip by spam filters and other security protections and to trick you -- the last line of defense.
About one in every 300 emails in 2011 was a phish, according to security software maker RSA, a unit of EMC Corp. Entrepreneurs should be concerned because these emails are increasingly surfacing at the office. In a separate 2011 RSA Workplace Security survey, 45 percent of respondents said they had received a phish in their work email. Often, they are personalized "spear" messages to specific employees, sometimes including details mined from LinkedIn and other social networks to make them more plausible.
Spear phishing emails can be alarmingly effective. RSA, Google and a slew of large companies had valuable intellectual property stolen over the last two years in attacks that began with a spear phish of an employee. "They're aiming for fewer targets, but they're aiming for a higher yield," says Jason Hong, an associate computer science professor at Pittsburgh's Carnegie Mellon University and founder of Wombat Security Technologies, maker of a phishing filter and educational tools for companies.
Small companies have been targets of spear phish attacks, too. Last spring, an employee in receivables at a Wichita, Kan., ServiceMaster franchise opened an email tailored to her and unleashed a virus that scrambled her computer and sent spam to her contacts. The franchise's mail server was also upended and shut down for most of the following two days while a technology consultant cleaned up, the company says.
Related: Five Ways to Tame Your Inbox
Some spear phish attacks can cause more financial damage. Take PrintedArt, a Franklin Lakes, N.J., company that sells artwork. It has received several emails in recent months from supposed customers requesting unusual shipping arrangements requiring the firm to wire thousands of dollars to international shipping agents. But Klaus Sonnenleiter, the company's president, became suspicious that the agents were impostors and refused the orders.
Here's how you, too, can avoid getting reeled in by a phisher.
Use technology as the first line of defense.
Security technologies can block many phishing attempts before they reach anyone. Do the basics: use up-to-date antivirus software and spam filtering, and keep the software on your computers current with the latest updates -- especially Adobe products and Java, whose bugs have been heavily exploited by malware writers.
Specialized anti-phishing technologies can also help. Major web browsers use built-in blacklists that provide a safeguard against known phishing websites. Google's blacklist is used in the Firefox, Safari and Chrome browsers, while Microsoft's blacklist is used in Internet Explorer.
And there are filters that use "heuristics," a set of rules used to detect phishing that can block some attacks but can also generate false alarms. Microsoft includes this technology in SmartScreen, a feature in Exchange, Hotmail and Internet Explorer, and many security-software makers include heuristics in their product suites.
Teach employees how to spot these phishing emails.
Unfortunately, spear phish are especially adept at beating security technologies because they often look like legitimate messages. When they contain malware, it's often tweaked to get past major antivirus products. And when emails direct victims to dangerous websites, the sites are often new and unknown to blacklists.
You must prepare employees to identify these types of emails. Experts say educating workers and instilling a healthy level of suspicion are effective in foiling phishers, who often use emotional triggers to create a sense of fear or urgency.
About 50 percent of people will fall for a reasonably good phish, say both Wombat and PhishMe, which provide anti-phishing training services. But they say employee education can whittle that number down to 10 percent or less.
Training programs usually start with sending employees fake phishing messages. If they fall for the ruse, they are given immediate online training about how to recognize scams and protect themselves by, for example, scrutinizing email addresses and website URLs.
If in doubt about the safety of an attachment, you can tell employees to forward the message to a Gmail account and view it safely in Google Docs, rather than download it to their computer, suggests PhishMe co-founder Aaron Higbee.
You also can encourage employees to use instant messaging and work together on documents using collaboration software, he says, making your company less reliant on unsecure email.
Riva Richmond is a freelance journalist who has covered technology for more than a decade. She focuses on computer security, privacy, social networking and online business and has written for The New York Times, The Wall Street Journal and other national publications. Previously, Riva was a technology reporter at Dow Jones Newswires and regular contributor to The Journal's "Enterprise" small business column.