Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 212: UNDERSTANDING THE RISK OF SPEAR-PHISHING
Reference Number ACG-CSB 071821212
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Whether you rely on email for business or simply use it on occasion for personal use, it is important to be wary of scams that cybercriminals use in attempts to steal something from you. Among the most popular scams is phishing, where thieves set what can be considered a virtual trap using email. As its homophonous name implies, the thieves bait victims like a fisherman might bait his fish.
Spear phishing attacks are targeted at specific individuals, whereas general phishing attacks are usually sent to masses of emails simultaneously in the hopes that someone takes the bait. With spear phishing, thieves typically target select groups of people who have one thing in common. Maybe you all work at the same company. Maybe you’re all students at the same university. Or maybe you all use the same local bank. Whatever they seek out, they do it because it works. Spear phishing techniques are used in 91% of attacks.
Spear phishers need something to start with. This inside information might be a company-wide email alias or other insider information that might help convince targets of the emails’ legitimacy. Or for even more targeted attacks, the cybercriminal might study his or her target’s habits or environments.
One popular approach sees individuals receive emails from someone whom they trust, like a personal assistant or company IT manager. The email will look nearly identical to what the target is used to receiving from that person. It will likely have all relevant logos and names attached. This email convinces the victim to click a link to reset a password.
Upon opening the link, the victim is directed to a website where they are asked to enter the current username and password. And just like that, the spear phisher has the spear phished user’s login information, or whatever else they might have baited the victim into providing.
It makes up the majority of phishing type attacks in part because the end reward is clear. These criminals are typically looking for information or access that can lead to financial gain — whether immediate or longer term — or valuable insider information. In 2016, identity theft and fraud cost consumers over $16 billion. While spear phishing attempts were not responsible for the full haul, it is clear that the stakes are high.
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of SPEAR-PHISHING:
- Change your password. If you provided your password or any sort of personal information, change your passwords right away. Even if the scammers did not take your password, they might have the ability to access your accounts with whatever information they did take. To be safe, create new passwords for all of you accounts — and make sure to keep it strong.
- Contact credit companies and agencies. If you’ve given away any personal information, you can either monitor your credit on your own – or better yet – contact one of the major bureaus to place a fraud alert on your account. Likewise, reach out to your credit card companies to bring them up to speed on the situation.
- Update your software. For security reasons, you should always keep your software up to date. It should have the latest patches for viruses and other malware. While these threats are not always attached to spear phishing attacks, it is not unheard of.
For additional information, please refer to the following websites:
POINT OF CONTACT