Don't Take the Bait
Spear-phishing attacks aiming for competitive intelligence or corporate espionage are likely to have a custom-tailored message (e-mail, IM, tweet, and so on), such that the victim is more likely to take the bait. A top nuclear physicist at a research institution is unlikely to follow through on a link advertising replica Rolex watches or natural male enhancement, but if the message is inviting the victim to be a speaker on a panel at a well-known nuclear physics symposium, the bait will be all but irresistible.
Although you might think that in 2010, most users (and especially tech workers) would be suspicious of any password reset or messages declaring that "we are improving our security," a stunning number of them will still be fooled by such schemes. My company, Special Ops Security, as part of its assessments with organizations and government agencies, will run controlled experiments where we intentionally phish targeted individuals at a company and track both click-through and captured passwords on an encrypted Web site.
Two colleagues of mine have even started their own self-service portal for CIOs to run mock "spear phishing" of their employees at PhishMe.com. It's a particularly eye-opening exercise, and I highly recommend it.
Use Unique E-Mail Addresses to Keep Password Reset E-Mails at Bay
If you don't believe that you would fall for a targeted e-mail discussing your upcoming new product or a malicious PDF with a class-action settlement notice, there is the ever-present category of password reset and social networking notification messages. Most Websites, as an unfortunate necessity of large scale, have a "forgot password?" function that sends e-mails to allow you to obtain access to your account.
Additionally, we are trained to expect notification e-mails from sites informing us of new friend requests, or photos of ourselves that others have posted. This is a particularly enticing proposition for the human psyche--how can I resist clicking on "have you seen this hilarious picture of you from last night?"
How is one to know if Facebook or MySpace truly sent the e-mail or if it is spoofed? Eventually there will be enough adoption of electronic signatures and DNS-level security to make these spoofed messages ineffective. In the meantime, there is one method that I employ to make sure a message is genuine. Each social networking (or e-commerce, airline, or whatever) Website that I use has its own unique e-mail address for me.
If you are fortunate enough to have your own domain name and a mail server (Google Apps is great for this), you can create firstname.lastname@example.org and email@example.com. If you receive any notification message purporting to be from a site but the "to" address does not match, consider that message to be highly suspect and delete it immediately.
Sign up for CIO Asia eNewsletters.