Why Spear-Phishing Hacks Are So Successful

Exploiting poor security. Tracking with spyware. Creating fake employees. It's all about information gathering.

By now, many healthcare employees know they should not click on unsolicited links or emails, or go to a web site without exercising caution. However, security is not their full-time job. They’re not constantly and closely scrutinizing email for threats, so it’s no wonder that some threats get through.

That’s what spear-phishing hackers are counting on. When a solicitation for information is made by an email recipient and received back by the hackers, that’s when information gathering on the target starts, says Paul Everton, founder of anti-spy mail company MailControl.

Hackers treat information gathering like the CIA does, he notes, gathering enough intelligence on an organization to understand what data it has, who talks to who in the organization, who approves payment or data transfers, and who the organization’s partners are. “The more information leaking out about how you do business and who you do business with makes this possible,” Everton contends.

Most healthcare providers do not know that about 60 percent of all emails are tracked with spyware, which is an email extension that relays user habits such as when and where an email was opened, what links were clicked, and everyone who had the email forwarded to them, according to Everton.

Once the homework is done, a hacker can call a target, posing as another employee, and ask for an invoice for a particular contractor that has a relationship with the healthcare organization, because the hacker found the contractor on the organization’s web site.

Or, a hacker can send an email to an employee with a tracking code and get the employee to send the mail to the organization’s accounting firm. Then, the hacker can email the firm, identify himself and his company, and ask for the company’s customer list, giving a similar company email address that is really going back to the hacker.

Consequently, nothing seems unusual when the fake employee—sending an email under a legitimate employee name and acting in the normal course of business—then says, “We need to pay this vendor $100,000; here’s the account to be approved and here’s where the payment goes.”

The bottom line, it’s all about the information gathering first, Everton says.

Information-Management

 

« New Cyber Tricks Make ISIS Sophisticated
Staff Training 'Not enough to stop most data breaches' »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

DriveLock

DriveLock

Our security solution is designed to prevent external attacks, which are evermore sophisticated as well as monitor, document and even prevent internal incidents.

EC-Council

EC-Council

EC-Council is a member-based organization that certifies individuals in various e-business and information security skills.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

Kenexis

Kenexis

Kenexis is a consulting engineering firm providing services for process hazards analysis, fire and gas mapping, and industrial cybersecurity.

Ikerlan

Ikerlan

Ikerlan is an R&D technology centre specialising in areas including embedded systems, industrial automation and industrial cybersecurity.

Option3

Option3

Option3 (formerly Option3Ventures - O3V) primarily seek control investments in the growing cybersecurity mid-market, seeking to build champions with the scale to bring cutting-edge products to market.

Switchfast Technologies

Switchfast Technologies

Switchfast Technologies is an IT consulting and managed services provider, offering IT support and consulting to Chicagoland small businesses.

Cybots Pte Ltd

Cybots Pte Ltd

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

Blacksands

Blacksands

Blacksands is a leader in network architecture, identity & services management, threat analysis, industrial IoT architecture, and invisible dynamic networks.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

DataSolutions

DataSolutions

DataSolutions is a leading value-added distributor of transformational IT solutions in the UK and Ireland.

Snare

Snare

Snare is a comprehensive set of event monitoring and analysis tools designed to address critical auditing and security requirements.

Schellman

Schellman

Schellman is a leading provider of attestation and compliance services.

MAUSHIELD

MAUSHIELD

MAUSHIELD is the national platform for sharing cyber threat information and intelligence that can help organisations to improve their cybersecurity posture, minimize risks and prevent cyber-attacks.

Eden Data

Eden Data

Eden Data is on a mission to break the outdated mold of traditional cybersecurity consulting. We handle all of your security, compliance & data privacy needs.

Lighthouse IT

Lighthouse IT

At Lighthouse IT, we are focused on delivering seamless and reliable services to unlock the value of technology for your business.