Remember the movie ‘Castaway’ starring Tom Hanks about how a man becomes stranded on an island and has to relearn some of the most basic survival skills such as making firing, building shelter, improvising clothes and footwear, doctoring and most importantly finding food?

At the beginning of the island scenes the castaway tries casting a fishnet in the hopes of catching fish but is able to only catch a few small sardines. The movie then fast forwards and we find that the castaway has evolved his food hunting skills and is now able to catch a much larger fish using a single throw of a spear.

In the email security world this is very much like what has happened with regard to email phishing attempts on large organizations. In the beginning, these attacks were similar to the casting of a wide net, a mass email distribution to as many individuals in the organization as possible in the hopes of catching a small percentage of recipients thus gaining access to private yet valuable information that was later used to cash in on the unsuspecting recipients.

Just as our novice fisherman in the movie was able to evolve and learn new skills which allowed him to catch a bigger fish in a lesser amount of time and energy so has our phishing community also evolved to catch a bigger fish in a shorter amount of time and with more accuracy within a large organization using targeted attacks now known as “spear phishing”.

Traditional phishing tactics involved the use of fraudulent emails and fake web sites which were set up to enlist the details of your identity – name, address and credit card numbers – in the hopes of running your credit cards up to their limits. Spear phishing is a more targeted approach and includes emails sent to specific groups of individuals who meet specific criteria such as high ranking members of an organization.

There are several safety measures that companies can take to prevent employees’ identities being stolen. Such safety measures include:

1. If you do not know who the sender is then do not open the email.

This is a most effective method to preventing someone from stealing your identity. If you do not recognize the name of the person or company who has sent you the email then, very simply, do not open the email. Most of the time emails that are opened end up being replied to because the recipient has opened the email and most likely inadvertently mistook the originator’s email address as a valid or legitimate sender.

2. If you are thinking about replying to the email then at the very least make sure you investigate the background of the sender and their company.

Once an email has been opened it will have a higher chance of being replied to and contain personal information. Recipients of suspicious emails should try to contact the company of the purported origin. Investigate phone numbers, addresses and even go so far as to contact the local Better Business Bureau.

3. Do not click on any links or icons in the email.

Oftentimes a spear phishing attack will include links or icons in their emails with the obvious intent that a recipient would unsuspectingly click on those links or icons and then unknowingly downloads, and in some cases launches, an application that is itself modeled after the Trojan horse attacks that should be well known by all system administrators by now. But with these new links come applications which are not destructive but exist as parasites which remain on the now exposed system capturing keystrokes and then uploading that information to a remote site where the data is then mined for usernames, passwords, credit card numbers and other valuable information.

4. Report any suspicious emails.

For example, I have received several emails over the years from different spoofers who have purported to represent Paypal. Instead of immediately replying to these suspicious emails I opted to contact the real Paypal company using customer service phone numbers or known (saved) email addresses from them. After a while I knew where to send (forward) suspicious emails. I would forward these suspicious emails to such addresses as spoof@paypal.com or to complaint-response@paypal.com. You should always remember to provide the date and amount of any money that is being requested of you.

Always file complaints with the Internet Crime Complaint Center (IC3) at http://www.ic3.gov/default.aspx.
“The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA). IC3′s mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. “– as listed on the IC3 web site.

5. Implement filters which will scan for phishing attacks.

   For instance, Microsoft has a filter, SmartScreen, which is a feature of Internet Explorer 8 that is designed to protect you from fraudulent websites. It runs in the background and analyzes websites and will ask you if you really want to go to a particular website. The websites you visit are checked against a list of suspected phishing websites that is kept up to date. A red warning notification will be issued if the filter matches a website against its list. File downloads are also checked for your safety.