Sophisticated, targeted phishing attacks have successfully swiped data from roughly 15,000 victims within the last 15 months according to Internet security company, VeriSign. VeriSign believes that almost all of these attacks are coming from just two groups.
"Unlike traditional phishing attacks, which are sent to millions in hopes of luring some victims to fake Web sites, spear-phishing emails contain personal information, such as the name of the victim or his employer's name to make them appear legitimate. In the attacks tracked by Verisign, victims are tricked into visiting malicious Web sites or opening malicious attachments, which then give attackers a back door onto their PCs so they can steal information."
This latest round of spear-phishing attacks is targeted at individuals with business e-mail addresses, and in particular at business executives. This type of attack is sometimes referred to as "whaling." The attacks have been so successful because they prey on a very human characteristic: fear. Many of the e-mails claim that the recipient is being sued or is being audited by the IRS.
This sort of combination of social engineering and technical bravado can be very successful. The frightening and unexpected content of such an e-mail is quite capable of clouding the judgment of even the most tech-savvy or skeptical recipient.
Yet again, the lesson learned here is to always be leery of the veracity of any e-mail you receive--especially from a sender you don’t know. Despite how official or genuine an e-mail looks that claims to require your action, never click on a link inside such an e-mail. And before you panic after reading an e-mail that tells you something unpleasant and unexpected is going to happen to you, stop and ask yourself if such information would ordinarily be disseminated in such a manner. While e-mail has become a primary source of communication, such official notifications still use more traditional channels, such as physical mail.