Why Spear-Phishing Hacks Are So Successful
Exploiting poor security. Tracking with spyware. Creating fake employees. It's all about information gathering.
By now, many healthcare employees know they should not click on unsolicited links or emails, or go to a web site without exercising caution. However, security is not their full-time job. They’re not constantly and closely scrutinizing email for threats, so it’s no wonder that some threats get through.
That’s what spear-phishing hackers are counting on. When a solicitation for information is made by an email recipient and received back by the hackers, that’s when information gathering on the target starts, says Paul Everton, founder of anti-spy mail company MailControl.
Hackers treat information gathering like the CIA does, he notes, gathering enough intelligence on an organization to understand what data it has, who talks to who in the organization, who approves payment or data transfers, and who the organization’s partners are. “The more information leaking out about how you do business and who you do business with makes this possible,” Everton contends.
Most healthcare providers do not know that about 60 percent of all emails are tracked with spyware, which is an email extension that relays user habits such as when and where an email was opened, what links were clicked, and everyone who had the email forwarded to them, according to Everton.
Once the homework is done, a hacker can call a target, posing as another employee, and ask for an invoice for a particular contractor that has a relationship with the healthcare organization, because the hacker found the contractor on the organization’s web site.
Or, a hacker can send an email to an employee with a tracking code and get the employee to send the mail to the organization’s accounting firm. Then, the hacker can email the firm, identify himself and his company, and ask for the company’s customer list, giving a similar company email address that is really going back to the hacker.
Consequently, nothing seems unusual when the fake employee—sending an email under a legitimate employee name and acting in the normal course of business—then says, “We need to pay this vendor $100,000; here’s the account to be approved and here’s where the payment goes.”
The bottom line, it’s all about the information gathering first, Everton says.