Phishers used to pound large ISPs with directory harvest attacks, gather the addresses, then pound on the clients again. Send out millions upon millions of lures, and you are bound to “catch a live one.”
Times change, and so do phishing tactics. With the level of awareness of the scams hitting new highs, phishers are choosing to target their lures with additional precision.
This is no different than the progression that took place in direct marketing. In the 70’s and 80’s, everyone got a flyer in their mailbox and/or a phone call at dinnertime. The money flowed in, and competition ensued. So, with the help of exploding processing power in the 90’s, direct marketers started slicing and dicing their databases and combining them with other information to help their clients reach buyers more effectively.
While phishing doesn’t require the investment of a legitimate direct marketing firm, the trend it is following is similar. In order to extract maximum cash, phishers are customizing their pitches for a specific audience. What is most dangerous about this approach is that recipients are not going to be familiar with these new pitches – the pitches won’t mention eBay or come from a bank (like many users have grown accustomed to). System administrators at the companies of the target employees are going to have to be extra diligent in keeping the attempts out of the inboxes.
Keep in mind, many phishing attempts come as plain text, are carefully worded so not to trigger spam filters, and can be very costly, very quickly. With a virtually unlimited number of businesses to target, particularly small ones with little investment in protections against directory harvesting, we are likely to see much more of these pinpointed attacks in the times ahead.