The Internet is abuzz with news that eBay is the victim of the latest data breach, and it's a big one. Business Insider reports that millions of users' logins, addresses, and personal information might have been compromised.
Cyber criminals used hacked employee accounts to access databases that contained a treasure trove of user data. The breach prompted eBay to alert between 100 and 200 million users, informing them that they should change their passwords.
The good news – if you can call it that – is that no financial information was compromised. In fact, eBay had stored its financial information in a separate location in encrypted files, which was a very wise decision.
But even though credit card numbers weren’t compromised, the eBay attack could lead to other breaches. That’s because hackers got personal information like usernames and passwords that could reveal to them shopping history and other intimate details. Armed with this data, cyber criminals are well-equipped to design a spear phishing attack – that is, a highly customized email attack.
Read on for details about the dangers of spear phishing.
What Is Spear Phishing and Why Is It Dangerous?
A phishing email attack is when a cyber criminal sends a malicious email that contains links or attachments that can lead to a data breach. A spear phishing attack is a more sophisticated version in which attackers customize an email, making it look like it comes from a recipient's business partner or friend.
In essence, these attacks are a wolf in sheep's clothes. In recent years, they've become so sophisticated that hackers write messages based on your recent activity on social media. These custom emails might ask questions about topics you often discuss or purchases you've recently made. Here are two real-life examples of cyber criminals using these “socially engineered” attacks:
- A spear phishing email was sent to doctors asking them to send patient records. A group of doctors were fooled because the email looked like one of the standard requests they receive on a day-to-day basis. (To learn how this technique caused three data breaches in Texas, see our article "Tried and True: Phishing Scams Still Cause Data Breaches.")
- A law firm was hacked when a secretary received an email that looked like it came from the firm’s payroll and accounting vendor.
These targeted attacks can be devastating. Most users are familiar with the generic spam email messages they receive and know not to click on links they contain. But how many of your clients realize that hackers can now customize their phishing attacks based on the information targets post on LinkedIn, Facebook, Twitter, and other publically available social media accounts?
The first phishing attacks occurred in the early days of the Internet on AOL. But with the massive amount of information companies and consumers post about their lives and business activities, these attacks are seeing a shocking resurgence.
How Do Spear Phishing Attacks Steal Data?
Spear phishing attacks steal your data by getting users to open an email’s malicious attachments or links. Here's how these cyber attacks typically work:
- Tricky links. Hackers can disguise malicious links a variety of ways. Some phishing emails are disguised to look like password reset emails. You might get an email that looks like it’s from a website you often visit. The email asks that you reset your password for security reasons. When you click on the link, it either takes you to a phony website that steals your login info, or it routes you through a mirror which steals the information you type thereafter.
- Malicious attachments. Malware can be hidden inside attachments. Maybe you've heard of the Target data breach? Well, a malware bot program was tucked in an email sent to a company that worked for Target. After the contractor opened the attachment, the bot was able to steal the contractor’s login information and eventually access Target's network.
Tips on How to Recognize and Avoid Spear Phishing Attacks
How do you prevent a spear phishing attack like the one that hit eBay? As with so many things in data security, the answer is a mixture of technical solutions and common sense strategies:
- Check links before you click them. Teach your employees and clients to hover over any suspicious links. Have them check the link where it appears at the bottom of the browser. Any suspicious, non-standard domain names should be avoided. (A more thorough explanation of these techniques can be found in Norton's guide to spear phishing.)
- Teach employees about the standard varieties of phishing attacks. Warn your clients about password resets and requests for information that feel too generic to be real or that don't come from someone they email on a regular basis.
- Don't use a password on multiple sites. Remind your clients that if they have reset their eBay passwords, they also have to reset accounts on any other website that uses the same password. It's best to avoid this problem by having a unique, complex login for each site.
- Use password managers. Clients might not think it's feasible to have so many unique passwords, each with a mix of numbers, symbols, and letters. How does someone remember all that? One solution is to use a password manager program, which relies on one complex password to store a series of other complex passwords for all your accounts.
- Use smarter software. Microsoft's 2013 Computing Safety Index reports (PDF) that only 21 percent of users take advantage of web filters that help prevent spear phishing attacks. Some clients might have anti-malware programs but haven't configured them properly. Make sure these are set to actively scan for malware, rather than wait for a user to initiate a scan.
Adopting a strategy to inform your clients about the risks of spear phishing and ways to prevent it is crucial for small IT companies. With both eBay’s and Target's data breaches caused by phishing scams, it's important to protect clients against this serious cyber weapon.
If a client's data as hacked, you could be held legally responsible and sued for six or seven figures’ worth of damages. Prevention is key, and so is IT Risk Management. Errors and Omissions Insurance can protect you from the cost of data breach lawsuits when a client's data is compromised.
For a free quote on IT business insurance, submit an online insurance application. Our agents can get you data breach coverage fast – usually within 24 hours.