Don't Take the Bait
What are Spear-Phishing Emails?
The difference between spear phishing and general phishing emails is subtle. With general phishing attacks, a message is sent to large groups of people with specific common characteristics or other identifiers (e.g. all staff at UBC). Spear phishing campaigns, on the other hand, appear to come from a trusted source that is closer to the target. Cybercriminals send these personalized emails to one person or a few persons who share a connection, such as working in the same department.
Spear phishing attacks are harder to defend against because they look like regular emails to most email security systems. Spear phishing attacks are especially dangerous because of the patience and detail that go into them.
For a spear phishing attack, the cybercriminal will study an individual or organization enough to know that if they send an email focused on a particular topic, the receiver is going to take the time to look at it.
There are a few signs to help recognize a spear phishing email:
| "Too busy to talk" | The person sending the email will either be too busy to talk or in a meeting and will only be available by email. |
| "Need money fast" | The sender will request payments or wire transfers immediately and there is an urgency to the email. |
| "Are you at your desk" or "Got a moment?" | The sender typically follows the response to this with an urgent request for a wire transfer, or request to purchase gift cards. |
| Email addresses that are slightly off | The attacker will register a similar domain name to the targeted organization but with an additional letter or number (e.g. sender@ubcc.ca) |
| Emails sent from Gmail or Hotmail | Be wary of emails sent from Gmail, Hotmail or other free email domains. |
| Something seems off | If the wording or the language used in the email seems strange, it could be a sign of a fraudulent email. (e.g. they start with "Dear John" when they usually say "Hi or Hello") |
| Email address changes when you reply to the message | When reading the email, the sender address appears to be the expected UBC address; however, upon replying, a different email address (typically non-UBC) is shown in the To: field. |
In particular, watch out for these specific types of spear phishing attempts:
| CEO Fraud | A business email compromise where fake CEO emails demand that finance transfer funds immediately to a fake account for a supposed merger or payment for a vendor. |
| Whaling | A spear-phishing attack that is aimed at an especially valuable target such as a CEOhigh-profile, important political figure, or extremely high-value security credentials. |
| Business Email Compromise | Similar to a whaling attack, but aimed at a less high-profile victim. For example, sending emails to an accountant to try to convince them to transfer funds for a fake business transaction. |
Additional steps to protect yourself include:
| If an email is unexpected or considered to be unusual then scrutinize any links in the message. Do not click them and instead type them into your browser, provided you feel the URL is authentic, in order to manually access the linked material. |
| If the email claims a software or upgrade needs to be done university-wide, verify it by checking with your Departmental IT Support Staff |
| If the email is about something that has nothing to do with your job (e.g. processing an invoice) ignore it |
| Don't open attachments if the message is from an unknown sender or if the attachment is irrelevant to your job |
| If the email looks suspicious, verify its legitimacy by phone or in person with the sender listed in the email header (if they insist they are too busy to talk, that is a red flag) |
| Trust your gut, if the sender’s standard email format isn’t followed (e.g. their signature has changed or their email just doesn’t sound quite like them), follow up to see if it's legitimate |
| Take a look through examples of spear phishing attempts, and learn how to recognize the signs of a malicious email |
| Report any suspicious email messages to security@ubc.ca |
What Can My Department Do to Protect Itself Against Spear-Phishing Attacks?
To help protect against spear phishing, UBC asks departments to:
| Ensure that systems used in performing financial transactions receive periodic validation and are protected by strict technical controls |
| Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training |
| Routinely audit compliance with established technical controls and policies |
| Reserve special-use computers to use SOLELY for banking transactions. No other use of the machine should be permitted (e.g. no email, no web browsing, no general-purpose business use), only institutional online banking transactions |
If you have any questions or receive a suspicious email, please send a message to security@ubc.ca
If you see a suspicious email with UBC branding, logos, and language please contact the UBC Information Security office immediately at the email above. When we are made aware of a spear phishing campaign, we can immediately begin identifying and protecting accounts that may have been compromised.
Fast reporting from members of the UBC community has helped save many accounts from potential privacy breaches.
If you are working from a cellphone or tablet which makes it difficult for you to forward an attachment, please just forward the email to security@ubc.ca and then follow up with the attachment at your earliest opportunity, referencing the Incident ID which will have been automatically generated for you.