Why School Officials Should Be Aware of Spear Phishing

Have you ever received an email asking for login information? How about an email asking for your username or social security number? Many people realize that the requests are scams, but recently these email messages have become much more sophisticated.

It’s called Phishing, which is an attempt for a malicious individual or individuals to gain private or sensitive information like usernames, bank account numbers, passwords or other useful data from the recipient. In most instances, the sender appears to be completely legitimate. The criminals who carry out these attacks generally go so far as to mask their email with logos and links from the website or business they are pretending to be.

Spear Phishing is a variant of phishing that has become much more common in recent years. Rather than sending out millions of messages or casting out a large net, these attackers spend more time researching targets and use a more targeted approach, hence the name “Spear Phishing.”

We recently caught wind of a Spear Phishing attack where the culprit went right after money. The attacker pretended to be a school official and sent an email to the finance office asking them to cut a check for goods that the school district had received.

The exchange appears to be a completely normal business interaction within this district. The attacker spoofed the email headers to make it appear as though the message was from the school official and ensured that all replies went to a separate email account that was being used to carry out the attack. Without investigating the message further, it was undetectable.

The attacker set up the trap by sending an email asking whether or not the finance official was going to be in the office so they could assist with a particular task. The finance official replied with their availability. Next, the attacker sent the request, asking for money to be sent for goods purchased. They included the banking information and asked to be kept up to date on the payment. The finance official replied that they had taken care of the request and the money had been sent. Finally, the attacker followed up with a message thanking the finance official for the help. During the entire exchange, the attacker used personal greetings and a familiar signature block to further mask their trap.

Thankfully, the finance official followed up with the school official with an alternate form of communication shortly thereafter and they quickly realized they’d fallen victim. That step is what ended up saving this district, but it just as easily could have been skipped.

Spear Phishing attacks are very common, and as more of what we do goes online, they are increasingly successful because they’re very difficult to spot. We recommend that everyone take a moment to review their business processes and look for areas that could be susceptible to this kind of attack. For example, Create a rule that prevents any financial transactions requested electronically from being completed without verifying via a separate form of communication. That is what prevented this attack.

In addition, the United States Computer Emergency Readiness Team provides the following tips to avoid becoming the target of a spear phishing attack.

  • Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

  • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

  • Don’t send sensitive information over the internet before checking a website’s security (see “Protecting Your Privacy” for more information).

  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain.

  • If you’re unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.

  • Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic (see “Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam” for more information).

  • Take advantage of any anti-phishing features offered by your email client and web browser.