UBC Cybersecurity is aware of multiple Payroll Direct Deposit phishing campaigns in progress and we need your help to identify and report these attacks as they happen.
Read more here - Preventing fraudulent changes to the direct deposit information of UBC staff

QUESTION IT: Don't take the bait

What are spear phishing emails?

The difference between spear phishing and general phishing emails is subtle. With general phishing attacks, a message is sent to large groups of people with specific common characteristics or other identifiers (e.g. all staff at UBC). Spear phishing campaigns, on the other hand, appear to come from a trusted source that is closer to the target. Cybercriminals send these personalized emails to one person or a few persons who share a connection, such as working in the same department.

Spear phishing attacks are harder to defend against because they look like regular emails to most email security systems. Spear phishing attacks are especially dangerous because of the patience and detail that go into them.

For a spear phishing attack, the cybercriminal will study an individual or organization enough to know that if they send an email focused on a particular topic, the receiver is going to take the time to look at it.

How can I recognize spear phishing emails?

The average cost of a spear phishing attack is $1.6M

Not only is spear phishing increasingly common, but attacks are proving to be very costly. ¹

1 in 3 companies have been victims of CEO fraud emails

More than 50 organizations, including Snapchat, were successfully targeted by CEO fraud emails this past tax season. ²

¹https://blog.cloudmark.com | ²https://www.alienvault.com

1How can I recognize spear phishing emails?

The success of spear phishing depends on three things: the email must appear to come from a known and trusted individual; there is information within the message that supports its validity; and the request, made by the individual, seems to have a logical basis (e.g. processing a payment for a vendor).

There are a few signs to help recognize a spear phishing email:

"Too busy to talk" - The person sending the email will either be too busy to talk or in a meeting, and will only be available by email.
"Need money fast" - The sender will request payments or wire transfers immediately and there is an urgency to the email.
"Are you at your desk" or "Got a moment?" - The sender typically follows the response to this with an urgent request for a wire transfer, or request to purchase gift cards.
Email addresses that are slightly off - The attacker will register a similar domain name to the targeted organization but with an additional letter or number (e.g. sender@ubcc.ca)
Emails sent from Gmail or Hotmail - These emails are less common nowadays as spear phishing gets more advanced, but be wary of emails sent from Gmail, Hotmail or other free email domains.
Something seems off - If the wording or the language used in the email seems strange, it could be a sign of a fraudulent email. (e.g. they start with "Dear John" when they usually say "Hi or Hello")
Email address changes when you reply to the message - When reading the email, the sender address appears to be the expected UBC address; however, upon replying, a different email address (typically non-UBC) is shown in the To: field.

In particular, watch out for these specific types of spear phishing attempts:

CEO Fraud: A business email compromise where fake CEO emails demand that finance transfer funds immediately to a fake account for a supposed merger or payment for a vendor.
Whaling: A spear phishing attack that is aimed at an especially valuable target such as a CEO, important political figure, or extremely high value security credentials.
Business Email Compromise: Similar to a whaling attack, but aimed at a less high profile victim. For example, sending emails to an accountant to try to convince them to transfer funds for a fake business transaction.

How can I protect myself against spear phishing attacks?

2How can I protect myself against spear phishing?

Watch out for emails with unusual requests and ensure that before you release a payment, you have two people sign-off on all documentation. UBC also recommends speaking with your supervisor to clarify that the request is authentic.

Additional steps to protect yourself include:

If an email is unexpected or considered to be unusual then scrutinize any links in the message. Do not click them and instead type them into your browser, provided you feel the URL is authentic, in order to manually access the linked material.
If the email claims a software or upgrade needs to be done university-wide, verify it by checking with your Departmental IT Support Staff
If the email is about something that has nothing to do with your job (e.g. processing an invoice) ignore it
Don't open attachments if the message is from an unknown sender or if the attachment is irrelevant to your job
If the email looks suspicious, verify its legitimacy by phone or in person with the sender listed in the email header (if they insist they are too busy to talk, that is a red flag)
Trust your gut, if the sender’s standard email format isn’t followed (e.g. their signature has changed or their email just doesn’t sound quite like them), follow up to see if it's legitimate
Take a look through examples of spear phishing attempts, and learn how to recognize the signs of a malicious email
Report any suspicious emails messages to security@ubc.ca

What can my department do to protect against spear phishing attacks?

3What can my department do to protect against spear phishing attacks?

To help protect against spear phishing, UBC asks departments to:

Ensure that systems used in performing financial transactions receive periodic validation and are protected by strict technical controls
Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training
Routinely audit compliance with established technical controls and policies
Reserve special-use computers to use SOLELY for banking transactions. No other use of the machine should be permitted (e.g. no email, no web browsing, no general-purpose business use), only institutional online banking transactions

If you have any questions or receive a suspicious email, please send a message to security@ubc.ca

Can I see examples of spear phishing?