Epsilon’s recent loss of email data to hackers has brought new attention to the problem of spear-phishing.  

What is spear-phishing?  In order to answer that question, you need to know what phishing is.  Phishing is email that is designed to appeal to the recipients’ desires, fears and curiosity to get the recipients to act to the recipients’ detriment.  Typically, that action is to click a link that goes to a fake website that asks for information in order to commit identity theft.  Sometimes these emails are very ineffective to the point of being funny.  We are all familiar with the Nigerian millionaire emails that are randomly sent to millions of people in hopes that a few people will act.  More effective are phishing schemes that are sent to millions of people, but which have a real resonance with a few recipients.  Few people have a dead uncle in Nigeria – lots of people have Coke Rewards memberships.  That is why bad guys sent out fake Coke rewards emails that linked to a fake website designed for identity theft.  That sub-set of recipients who had Coke rewards memberships might be enticed by the email.  The standard phishing scam has three characteristics: 

  1. The email is sent randomly to a lot of people.
  2. Personalization is a matter of chance.  If a large number of people get the same email pretending to be from a popular sender, some of the recipients will have a relevant relationship.  Think of the Coke Rewards program. In a large group of people, some will be Coke Rewards members.
  3. The purpose is to get the recipient to go to a fake website and provide data that can be used for identity theft.  Recently, criminals have resorted to using crimeware that takes remote control of the victim’s computer, thereby facilitating identity theft.

So, what is spear-phishing?  Spear-phishing is an enhanced phishing attack that uses personalized information about the recipient to heighten the perceived value of the call to action.  In the classic spear-phishing experiment, conducted at the U.S. Military Academy in 2004, the experimenters sent cadets an email from a fictitious military officer raising questions about a recent grade report.  This email elicited responses from over 90% of the freshman class.  The email was effective because it was so well-crafted to the interests of the recipient.  The recipient was a cadet.  The email was from a military officer.  The email was about an important recent event in the cadet’s life.  This level of customization usually requires a lot of work to assemble the personalizing facts.  Because it is hard to personalize on a large scale, spear-phishing is usually directed at a small number of people.  Examples include the attack on the French Finance Ministry, the government of Canada and the government of the United States.  In these government attacks, the purpose was espionage, not identity theft.  Epsilon’s data breach changed that – now criminals have personal information about millions of people.  SecurityWeek reports,

 . . . having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher “hit rate” than a typical “blind” spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.

A Marriott Rewards & Ritz Carlton Rewards spokesperson told SecurityWeek that their customer names, email addresses, and member point balances were exposed.

Think about the Marriott Rewards and Ritz Carlton Rewards data.  The bad guy knows your email, your name, that you are a member of the rewards program and your point balance.  If you receive an email that uses all of this information, that email contains a lot of data indicating that it is real.  Would you click a link and log-on to complete a form that offered you 10,000 bonus points or a free night coupon to complete a survey?  Would criminals be this clever?  Yes.  This is the Coke Rewards scam, enhanced with your name and your points balance.

What can consumers do?  You should be alert to potential scams.  And of course you should use the latest versions of a reputable security product and install all the security patches for your operating system and applications.  But you need to do more.  You need a product that will identify legitimate emails from many of the leading consumer brands. Distinguishing real email from fake email is hard.  Unless you have the right tool.  Can you find the real email from the Best Buy?

Know Who.  No Doubt.  Use eMail ID.  It’s available from PayPal and Trend Micro.  It’s free! 

What can businesses and government do?  The requirements for businesses and government are different from the needs of consumers.  Businesses and government agencies customize their email systems to meet their particular needs.  Moreover, the consumer brands that are marked for free by eMail ID are irrelevant to businesses and government agencies.  Businesses and government agencies want employees opening emails from HR, not Home Depot.  To address the special needs of business and government, Iconix has developed a for-fee solution called SP Guard™.  SP Guard is available now from Iconix.