Web Scraping and Targeted Phishing Attacks

David Fortner Avatar

We talk a lot about Spam and Phishing emails in our communications.  It is because it is so prevalent right now.  The Phishing game is getting more and more sophisticated and making it harder for users to identify a phishing email.  Is your company website giving Cyber-criminals the information they need to target your employees?  Web Scraping could be the issue.

How do the Cyber-criminals get your email address? 

How do  Cyber-criminals get your email address?  What makes you a target?  Many times email addresses are harvested from websites, it is referred to as Web Scraping.  Does your company website list email addresses for employees and/or departments?

What is Web Scraping?

If you google Web Scraping, you will get a large return of results for videos, software and companies to teach or perform web scraping.  Data obtained by web scraping can be used in a variety of ways, not all are harmful.  For example, data is collected  from various travel sites and then combined by one site so that you can compare accommodation or flight prices to get the best deal on travel.  However, web scraping also provides cyber-criminals with information and email addresses that allow them to target you with effective phishing campaigns.

Is your Company Website making it too easy for Cyber-Criminals?

Does your company have direct email addresses listed on the website for employees and or departments?  This is an easy way for cyber-criminals to obtain targets.  Sophisticated attacks using CEO fraud are highly successful because they can easily spoof a CEO’s name and email address, obtained by web scraping, and send it to an employee in accounting to request a bank transfer.  Sadly, posting email addresses on our websites is dangerous.

Use Contact Forms to Avoid Web Scraping of email addresses

Contact forms, enabled with CAPTCHA, can be used on a website instead.  This prevents addresses from being scraped.  Contact forms can be set to be distributed to a group of employees who can then reply or forward to the proper person or department.  A generic email such as info@companyname.com, can also be published on your website and can help you detect phishing (a CEO probably would not send his request for a bank transfer to info@…….) However, employees receiving the emails should be trained on identifying phishing attempts.  This generic email account limits a criminal’s ability to target or spoof specific people in your company.

Contact your Web Designer

If you find that your website does contain direct employee emails, contact your web developer to discuss alternatives to help avoid email scraping and possible targeted attacks while still allowing effective contact for your website visitors.

Many of our clients subscribe to our Spam Filtering and Cyber Security Training.   Contact us today to at 832-295-1411 to discuss Spam Filtering and Employee Cyber Security Training for your organization.

Tagged in :