In October, 10,000 users of the professional social-networking site LinkedIn.com received what appeared to be a legitimate e-mail from a member of LinkedIn's technical support team. The e-mail claimed to include an attachment containing a "list of business contacts" and enticed recipients to open it. Despite its official appearance, however, the attachment actually contained a piece of malware.
The incident was one of the most prominent spear phishing attempts to date. Unlike phishing, where a hacker SPAMs thousands of recipients with a generic, fraudulent e-mail to trick users into divulging personally identifiable information, spear phishing is much more ingenious. These types of attacks target a specific group of people, often employees at a company, with malicious e-mails that appear to be sent from an authority or company executive.
Cutting the Line
Because spear phishing e-mails don't look like SPAM, security software does little to prevent these attacks. IT should continually update anti-SPAM and phishing software on mail servers as a preventive measure. In addition, experts recommend that in-house counsel, IT security and HR band together to educate employees.