Don’t be caught by the Spear Phishermen
I think we’re all pretty horrified by the news this week that top athletes have had their personal medical data released by hackers who were allowed to break into the files of the World Anti-Doping Agency (Wada).
It’s impacted on the likes of Sir Bradley Wiggins, Chris Froome and multi-Olympic gold medal winning US athlete Simone Biles.
We’re getting quite used to such things, but it all seems that much more despicable when it relates to such deeply personal material as medical data.
We have come a long way in educating people generally about the methods criminals will use to get hold of their logins and other confidential details and many people now will be familiar with the term ‘phishing’ – the practice of sending out millions of emails pretending to be something they’re not in order to get users to unwittingly give up information.
What’s less well known is the variant of that practice known as ‘spear phishing’, which is believed by Wada to have been used here. As the name suggests, it’s a more targeted approach.
Instead of casting the net wide with, say, a generic email pretending to be from your bank, in the hope that enough people will fall for it and give up their details, a spear phishing attack homes in on an individual or specific organisation from the start.
It’s particularly dangerous because it’s engineered to be convincing in those specific circumstances. The attacker is likely to have done some research. So, for instance, an email or phone call from the criminal might refer to something or someone familiar to the person they’re approaching. They might even have found some personal details on their target, such as their favourite football team or coffee shop – much of which people will reveal through every day social media use. It gives a ring of truth to the enquiry that might just tip someone over the edge into revealing something they otherwise might not.
This approach relies even more heavily on psychology and human nature – if it’s convincing enough the target might feel rude (or even be in fear for their career) if they don’t comply with what might be a bona fide request.
It would be very easy to point the finger at Wada – though to some extent that must still happen – but these carefully engineered attacks can be very hard to defend against.
It’s why people, your staff, remain the weakest point in any digital security set up. You can put in all of the hardware and software in the world, but if the staff are not suitably educated on the risks they pose, it’s all for nothing.
The protocols need to be strong, clear and regularly checked and reinforced – whether it’s about keeping door entry codes secret, all the way up to the accounting system and customer database!
It’s something we consult with clients on, helping them to create, promote and enforce good practice among their staff who, in turn, know the risks and consequences of failing to take it all on board. It’s tough, but you can fight back against the ‘spear phishermen’!