Gone Spearphishing

You scroll through your Facebook news feed and spot another quiz, posted by one of those folks you never really knew but added as a friend anyway. The posts they make are great, bringing you back to your high school days.

This quiz is all about favorites. Favorite color, favorite song, favorite artist, favorite animal, and so on. You copy the quiz and fill in your own response, then post it and wait for the comments and the reposts to flow in.

It’s a natural inclination. Broadly speaking, people like to talk about themselves. We are socially inclined, and we want to look well-informed. And the subject we know the most about is ourselves. We share personal information, even when we know we shouldn’t.

Aside from quizzes like the widespread Facebook posts being fodder for password hints (how often have you used “favorite band” or “favorite sports team” as a security question?), they enable a particularly dangerous form of digital attack known as “spearfishing.”

The name “spearphishing” is an expansion of the term “phishing,” which is a well-known phenomenon on the Internet at this point. Everyone knows not to click on links in spam emails or open attachments from unknown senders. Most, if not all, email providers have functions that sort through users’ emails and quarantine any emails that carry the hallmarks of a phishing attack on sight. Indeed, producers of such scams send out so many emails because they know a small number of people will be fooled by them.

In this way, traditional phishing follows the form of casting a wide net, maximizing the amount of people taken in by the generic emails that carry the malicious files. Spearfishing is a specific, directed attack. The target of a spearphishing attempt is profiled and researched, their social imprint combed through for connections and patterns. The attack is tailor-made to be nearly indistinguishable from a perfectly benign email.

There are no clear guidelines on who is most likely to become a target of such an attack, but the more personal information you share and the more connected your online accounts are, the easier it will be for some bad actor to con you. Public figures, with our decreased sense of privacy, tend to be particularly prone to this. I (the highly visible CEO of a profitable tech company) received an email from my sister some time ago, telling me about a student loan forgiveness plan she’d discovered and wanted me to check out. The email contained a link. My sister does occasionally send me random emails about things I like, and she does know about my debt burden, so it wasn’t unreasonable to expect she had sent the email. (And yes, I’m still paying off my loans for Bucknell and Wharton. Welcome to millennialhood.) But I called my sister and asked her about the email anyway. She hadn’t sent it.

So what happened? Was my sister’s email account hacked? Most likely not; no one else in my sister’s circle received any suspicious emails from her. (She changed all her passwords anyway.) What’s more likely is that someone went through my online interactions and found her. We have the same last name and she is listed as a relative on my Facebook profile. We trade playful barbs on Facebook and on my personal Twitter, and I’m fairly certain there are photos of us as kids on her Instagram. This made her the perfect contact of mine to impersonate.

And the student loan angle? I’ve joked about my student loans a few times. There is probably a video of me remarking on them floating around YouTube. My sister has made similar complaints over social media. This was, then, the perfect choice for a hook, and it was cleverly done. The IT department had far too much fun dissecting the email. It wasn’t until someone spotted a slight misspell in my sister’s email address that the malicious intent became clear. The website the link led to appeared to be false as well.

There is a solid chance that any person with a significant online presence could fall victim to a spearphishing attempt. There’s no true way to defend against them, but the potential effects, from ransomware to identity theft, are brutal. If you receive a spontaneous email from a contact, don’t be lazy. Check with the contact before you open any attachments or click on any links.

Caution is a good rule of thumb on the Internet, with digital attacks growing more sophisticated by the day. When in doubt, double-check everything from the email address to the language used in the email. In the world of cybercrime, vigilance is everything.


(Originally posted April 2017)