That's what happened in March, when attackers used a clever ruse to exploit their discovery that RSA -- the company that provides network-access tokens using random secondary passwords -- was in a hiring campaign.
Organized Attack
Two small groups of employees received e-mails with attached Excel spreadsheets titled "2011 Recruitment Plan," the company said in April. The e-mails were caught by the junk- mail screen. Even so, one employee went into the folder, retrieved the file and opened it.
The spreadsheet contained an embedded Adobe Systems Inc. Flash file that exploited a bug, then unknown to San Jose, California-based Adobe, that allowed hackers to commandeer the employee's PC. RSA said information related to its two-factor SecurID authentication process was taken.
Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst.
"The team that hacked us is very organized and had a lot of practice," Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. "I can compare them to the Navy Seals Team Six, which hit Osama Bin Laden."
The Federal Bureau of Investigation began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust.
Whale Phishing
Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp.'s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month.
Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers.
Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they're better protected from computer hackers than their employees, Rasch said.