The Russian-based hacking group Seaborgium is at it again with increased spear phishing attacks targeting US and European countries in the last year.

Last month, I previously wrote about Seaborgium launching a phishing campaign with targets in the UK. Now these threat actors have taken one step further with fake personas, social media accounts, and academic papers to lure their victims into replying to their phishing emails. They have also widened their net to multiple regions across the globe with a new focus on the US and additional regions within Europe. Each successful attack means the threat actor is able to refine their fake profiles to be more convincing and lure future victims.

Journalists are also becoming a target for multiple Russian hacking groups. Since journalists hold sensitive information, it could serve as high value to execute cyber espionage for the Russian state-sponsored groups.

While spear phishing campaigns continue to increase in sophistication, the root cause stems from social engineering. Whether it was specific language in the email or a convincing fake profile, threat actors are refining commonly used social engineering tactics to ensure your users fall victim to their attack.

Thankfully, there are ways to identify if your organization is being targeted. We have several tips for preventing a spear phishing attack from targeting your users:

  • First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. The trick is to make it as hard as possible for the attacker to get through and to not rely on any single security measure to keep your organization safe.
  • Do not have a list of all email addresses of all employees on your website, use a web form instead.
  • Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your user’s username and password on a crime or porn site.
  • Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, go directly to the source.
  • Enlighten your users about the dangers of oversharing their personal information on social media sites. The more cybercriminals know, the more convincing they can be when crafting spear phishing emails.
  • Users are your last line of defense! They need to be trained using new-school security awareness training and receive frequent simulated phishing emails to keep them on their toes with security top of mind. We provide the world’s largest content library of security awareness training combined with best in class pre- and post simulated phishing testing. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!