Soft Target Phishing: Mass Spear Phishing Attacks have Arrived
Adrien Gendre
—December 29, 2016
—3 min read
There is no denying that phishing and spear phishing attacks are a huge problem that continues growing. In just the first quarter of 2016, 6.3 million phishing emails were sent out, a 789% increase from the last quarter of 2015. Among those emails, a shocking 93% contained ransomware.
Between the last quarter of 2015 and the first quarter of 2016, there was a 789% increase in phishing emails.
With so many different threats like the business email compromise (BEC), ransomware, and phishing it can be hard to keep up. But, the next big thing is here: soft target phishing.
Soft Target Phishing Definition
Soft target phishing is a phishing attack that is a combination of BEC (a subtype of spear phishing) and a mass phishing attack. Instead of targeting a single individual like the BEC, or tens of thousands of people like traditional mass phishing, soft target phishing aims for a few individuals in a specific job category. The emails often include business customizations to make them more convincing.
Soft target phishing combines elements from the business email compromise and general mass phishing attacks.
For example, multiple people in the HR department receive an email with a resume from a job applicant. The email contains a customized message addressing each employee and provides some other information to make the interaction seem legitimate. Since the email seems real, the employees open the attachment, unaware that it contains malware that can now infiltrate the entire company system. This attack is similar to the BEC and spear phishing attacks in that emails are customized with seeming legitimate information. However, these attacks are different because instead of targeting just one individual asking for confidential information, soft target phishing is aimed at a group in a particular job category with malicious attachments.
Why is it so easy?
Chances are you have already had your personal information hacked, especially if you don’t keep your computer software up to date or don’t have advanced email protection. Combine this with the availability of your entire work history on LinkedIn and you have an easy recipe for creating a highly customized spoofed attacks. Soft target emails will generally slip past standard email filtering systems.
Soft target phishing attacks get past normal email filters because they don’t contain the common phishing red flags that these systems can catch.
These emails can get past the filters because they don’t contain the normal red flags that standard filtering systems look for. The emails don’t have suspicious hyperlinks or executable attachments (the type of file typically used for malware). Instead, the emails simply contain a customized written message and an attachment that looks to be just a PDF or Office document. Standard filtering does not have the capabilities to scan the contents of these types of attachments, allowing them through.
Targeted Departments
Any department in your company could fall victim to spear phishing attacks. This type of attack, however, tends to target the following departments:
- Human Resources: with all the personal data human resources deals with and has access to, they are an obvious target. A common tactic is to send emails with an attached “resume” from a job applicant. Unfortunately, the “resume” contains ransomware that once opened can infiltrate the company system.
- Billing: since this department receives many emails daily with bill or invoice attachments they are targeted similarly to the HR department. Individuals receive customized emails that make them believe the invoice or bill is legitimate, so they open the attachment, allowing ransomware to enter the system.
- Shipping department: since this department is often in a different location from the main headquarters, it is easy to target these individuals. Since they interact with different people each day they never get a sense of an individual’s email style, so basic skills taught in phishing awareness training aren’t as helpful.
So what is the best solution? Artificial Intelligence Powered email protection.
Vade Secure offers state-of-the-art email security to protect your company from soft target phishing, spear phishing attacks and all other types of email-borne attacks.
- Initial filtering: Emails are analyzed for known phishing and malware signatures, including executable files. This quickly weeds out all spam and mass attacks.
- Anti-Malware:
- We read the code embedded not just in executable files but in Office documents, PDFs, and more.
- This in-depth proprietary defense system is bolstered by two complementary anti-virus solutions.
- URL Sandboxing: All URLs are examined to be sure they do not link to malware, phishing sites, or any other malevolent site. Unlike most URL exploration engines, Vade Secure explores the URL both when it first coms through the system and also again whenever a user attempts to click on a link, thus defeating time-bombed URLs.
- Artificial Intelligence: Any remaining messages are analyzed for unknown malware and phishing tactics to prevent spear phishing and zero-day attacks that would otherwise get through the filters. Our rules-based engine is based upon processing billions of emails every day, so it is constantly learning and improving.
- Identity verification: Our Identity MatchTM system considers hundreds of subtle technical and behavioral factors to determine if the sender is who they claim to be to protect against email imposters.
- Domain verification: The sender’s domain is double-checked for authenticity
- Content Analysis: Vade Secure performs a deep analysis of every email to look for attempts from hackers to steal personal information. The artificial intelligence engine creates a warning if there are sensitive data requests within the email, like asking for personal information or credentials.
- Human Intelligence: Vade Secure mans a 24/7 global threat intelligence center with email security experts. They constantly monitor the information that comes in so that we can identify new and interesting threats.
- Spam Control: Vade Secure achieves a 99.99 percent catch rate with essentially a zero percent false-positive rate (<0.00001 percent).
- Commercial Email/Graymail Management: Delight your users with commercial email categorization and one-click auto-unsubscribes.
Are you ready to protect your company from all types of phishing threats? Sign up for a free 15-day evaluation.