The best spear phishing attacks are timely. Which means they arrive in the inbox of the target exactly when it is relevant to the target.
Or even better when the target is most vulnerable to an attack.
Insider knowledge about their target is gold for a spear phisher (or player in MonkPhish). Especially information that their target is expecting something.
A spear phisher can deploy that knowledge with devastating effect.
For example, an attacker knows that a target gets an invoice from one of their suppliers on the last Thursday of the month around 4pm, they deploy their attack mimicking that invoice on Thursday at 2pm.
The target may just click through as expected – they expected this email in the afternoon.
Another example (and this is a real-world example)m an attacker knew that a large multi-payment deal sale was being conducted between two parties. The attacker just emailed the payer with an email address that looked a lot like the sellers’ address and asked that they wire the next installment to a different account (the one under the attackers’ control).
In that case the attack was successful without “compromising” any systems or networks!
Attackers can also attempt to catch people at their most vulnerable moments – physically and psychologically.
If you get an email at 3 am that something awful has happened – will you be inclined to panic when you wake up several hours later – check your phone – and see some urgent message?
When you are especially bleary or mentally tired is when you should be extra cautious about checking your email!
If you get that urgent message, check it on your computer, not your phone – and look at the URL of the sender and the destination!
If you’re still unsure, call to check if something is going on – anything to make doubly sure you aren’t the next victim of a well-timed attack!
Of course, while playing MonkPhish you can use these timing tactics to snare your colleagues! Happy phishing!