National Cyber Security Centre has released Security Advisory regarding Spear-phishing campaign that is targeting various government departments. Cyber-criminals are sending spearphishing email from a legitimate-looking but spoofed email address. The NCSC recommends all government IT Security Managers to advise their employees not to click on the hyperlink contained in the body of such spearphishing email.
Spear phishing, similar to Phishing, targets a specific organization or a specific individual, seeking unauthorized access to confidential data by using e-Mail as the platform to carry out the fraud attempt.
Such spearphishing emails come in various forms some of them may inform the recipient that the delivery of the earlier email has failed and to view that email click on the below link alternatively it may contains a fake message which is sure to entice the recipient to either click the link or open up the attachment. In case of a link, they will be taken to a webpage that requests the recipient to enter their email address and password, while the attachment may contain a Trojan which would ultimately infect the system.
An example of the spearphishing email and the corresponding webpage that a recipient will be diverted to is shown below.
NCSC suggests that employees should not reply to such emails as well as not to follow the link and/or enter any details in the corresponding webpage. If an employee has previously entered their details then they are advised to contact their IT Security Team immediately.
eScan suggests following preventive measures that will save you from falling prey to such attacks.
- Identify phishing emails, such mails are filled with countless grammatical errors and are often written in awkward English.
- Never respond to emails or messages from unknown sender that have “undisclosed recipients” in the address line.
- Do not click on the link mentioned in the mail, if required type it in another browser tab to see what it contains.
- If at all you happen to click such a link and see a request for your banking credentials or other details for any kind of verification or updating purpose, do not enter your personal or financial information.
- Never provide information related to your credit card, bank account numbers or passwords to any unknown site or a fake site.