August 10, 2020

What is spear phishing?

Learn how to identify and avoid falling victim to spear phishing scams

Twitter recently proved it: no business is immune to phishing attacks.

In a hack that reportedly netted scammers more than $100,000, the accounts of several prominent figures and celebrities were compromised and exploited.

Join us as we dive into the details of the Twitter hack, explore what spear phishing is, and explain how you can protect yourself against being the next victim.

What happened to Twitter?

In July 2020, cybercriminals used spear phishing tactics to gain access to 130 Twitter accounts, including those of Microsoft founder Bill Gates, Democratic presidential candidate Joe Biden, and reality star Kim Kardashian West. [1]

The hackers then published tweets from some of these accounts sharing a Bitcoin scam, stating that any money sent would be doubled and returned as a charitable gesture.

Within minutes, over 320 transactions had already taken place and Twitter users were duped out of Bitcoin to a value of more than $110,000.

Twitter stated that:

  • 130 total accounts were targeted by attackers
  • 45 accounts had tweets sent by attackers
  • 36 accounts had the DM inbox accessed
  • 8 accounts had an archive of “Your Twitter Data” downloaded. [2]

How did attackers hack Twitter?

Twitter has not released the full details on this, but it’s been reported that the hackers used spear phishing techniques to manipulate certain Twitter employees into giving out confidential credentials over the phone.

These credentials were then used to access Twitter’s internal systems, including getting through their two-factor protections. Once inside, the attackers had access to tools that should have only been available to internal support teams.

When Twitter became aware of what was happening, it locked down and regained control of the compromised accounts. The company also secured and revoked access to internal systems to prevent the attackers from further accessing systems or the individual accounts. [2]

What is spear phishing?

Unlike phishing scams, where emails are often sent to hundreds and sometimes thousands of recipients, spear phishing attacks target a specific victim. With spear phishing, phone and email communications are modified to specifically address that victim.

The attacker may disguise themselves as a trustworthy friend, colleague, or business in an attempt to acquire sensitive information. Often, they’ll try to obtain as much personal information about their victims as they can before reaching out—to make the communication look as legitimate as possible.

How do I protect my business from spear phishing?

As we’ve seen with Twitter, these scams are very often successful. And unfortunately, there’s only so much that IT security tools can do.

The best way to protect your business is to focus on employee education, backed up by a robust IT security system. Train your team to be suspicious of any unusual requests via phone or email from a colleague or organization, even if it’s someone they know well.

Our #1 tip: If your employee is unsure about the legitimacy of an email or other communication, ask them to always check with your IT department or IT security partner.

Related blog:

How to recognize and avoid email spoofing scams

How we can help

If you’re interested in learning more about how to protect your business from scams, we offer a range of comprehensive cyber security and compliance packages that can be uniquely tailored to fit your business’s needs.

Visit our IT Security Packages page to learn more.

Sources:

1: Twitter hack: Staff tricked by phone-phishing scam | BBC News

2: An update on our security incident | Twitter

We want to help your business succeed as your trusted IT partner.

Schedule your free consultation