Many of us have received requests through text messaging, email, or even phone calls purporting to be friends, family members, or even ACI officers. The messages are often sequential, seeking an initial response (“engagement”), then rapid follow-up messages seeking funds, information, gift cards, electronic payments, usually under the guise of seeking assistance on behalf of an individual known to you.
Specifically for leadership teams, if your name has ever been published on a document available online (website, electronic newsletter), you may be targeted more often and surprisingly convincingly with a seemingly personalized knowledge of your role in an organization and your relationship with others in your organization.
Here’s an example that has been making the rounds within our Club (I know of at least two people who have received this specific “Spear Phishing” campaign. You’ll see how it understands my role in the Club and at least two of my peers (and their roles) on the Executive Council. Fortunately, the recipient recognized the email address associated with me (“From”) was not my email and ignored it.
From: Eric McHenry <lilibeth@virginmedia.com>
Date: January 12, 2025 at 2:25:29 PM PST
To: [ACI Executive Council Member]
Subject: Expenses
[ACI Executive Council Member],
Treasurer Alan Rabb just notified me that there are some technical issues with the accounts payable system, and a payment is needed to cover our association’s operational expenses. Would you be able to assist by processing the payment through Zelle, PayPal, or ACH? I will ensure you’re reimbursed promptly and will provide all the necessary details.
Thank you so much for your help.
Best regards,
Eric McHenry
What’s Going On?
In general, the most common cybersecurity “campaigns” associated with individuals fall into two categories:
Credential Attacks are where malicious individuals try to capture your credentials (username, passwords) to access your bank accounts, investment accounts, online shopping accounts, or other accounts that may reveal hints about your online resources. Poor, reused, or passwords compromised in a data leak are often used to get unauthorized access. Some of the best defenses against these types of attacks are a) strong passwords, b) regular changing of your passwords, c) not reusing passwords, d) two-factor authentication.
The latter is becoming common now where a login session also requires a separate code for verification. If your online service offers two-factor authentication, use it. At a high level, this type of account verification relies on two things: 1) something you know, like a password, and 2) something you have, like a smartphone.
Spear Phishing Campaigns are what the example above shows. They are a subset of “Social Engineering Campaigns,” where a person’s normal goodwill or trust is used to entice them to reveal credentials, transfer funds, or allow account access. The next step of the example above would have been several “conversations,” each to entice the target to surrender credentials, allow access, or directly transfer funds.
Spear Phishing Definition: Spear phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It’s actually cybercriminals attempting to steal confidential information (https://www.knowbe4.com/spear-phishing)
The Rise of Artificial Intelligence in Spear Phishing
In spear phishing, AI is used by cybercriminals to gather detailed information about a target individual or organization, allowing them to craft highly personalized and convincing phishing emails that appear to come from a trusted source, significantly increasing the likelihood of a successful attack by making the phishing attempt seem more legitimate and relevant to the victim; essentially, AI helps create more targeted and sophisticated spear phishing campaigns by automating the research and crafting of personalized messages based on the victim’s specific details found online.
Information Gathering: AI can scan social media, public records, and other online sources to gather information about a target’s personal and professional life, including their job title, recent news, interests, and even family members, which can be used to personalize the phishing email.
Generating Convincing Content: Generative AI models like ChatGPT can create highly tailored email text that mimics the writing style and tone of the target’s company or colleagues, making the phishing email seem more authentic.
Note from Eric: As an example, I used an AI engine to generate the above section on AI. No, it’s not self-aware, but it can seem like it.
What Can I Do?
First: Use your intuition. If something seems odd, do NOT respond to the message. Instead, contact the person you know and ask if this is real. Never click on the link, send money, or give out your credentials (login/password).
Second: If it’s an email vs. text message, look CLOSELY at the actual email address, not just the name. Depending on your email application, you might be able to hover over the name, click the down arrow on the right, etc. Be aware that these “spoofed” email addresses are sometimes created to look very similar to your own, hoping to pass casual inspection. For example:
- Real email address example: joecamperartist1@gmail.com
- Spoof example: joecamperartistl@gmail.com: the “1” has been changed to “l”
- Spoof example: joecamper@rtist1@gmail.com: the “a” has been changed to “@”
- Spoof: example: joecamprartist1@gmail.com: the “e” is missing.
Finally: Understand you likely have NOT been “hacked.” At least not yet. Someone is trying to deceive you into revealing your information. Consider changing your email address, or creating a new, somewhat disposable email address for your Club business.
Eric McHenry
International President / BRN 153 // Amateur Radio callsign AA6EM
Prior Chief Information Officer / IT Department Director, Local Government
