Phishing comes in many different forms, but spear phishing is arguably the most dangerous type of phishing attack and the most difficult to detect.
Traditional phishing attacks tend to operate in a scattergun approach, they often impersonate a trusted company and target masses of people at the same time. In contrast, spear phishing is highly personalised and targeted.
A lot of thought and research will go into the careful crafting of a spear phishing attack. Attackers will try and obtain as much personal information as they can about their victim to make any emails seem as authentic as possible.
In order to create a sense of familiarity, spear phishers will often trawl social media sites and search engines to build a better picture of their victim. Once they have obtained all the information they need, the attackers will try and impersonate a trusted friend or colleague, then attempt to acquire sensitive information through an email.
An example of this could be an unsuspecting employee receiving an email from HR informing them about a new pension scheme the company is implementing. They click on the attachment, and without even realising it they have unleashed a virus that could potentially bring the company to its knees.
This may sound far-fetched, but this is exactly the type of spear phishing attack that companies all around the world are being subjected to on a daily basis.
According to the latest edition of Symantec's Internet Security Threat Report, spear phishing emails emerged as the most widely used attack method, employed by 71 % of criminal cybercrime groups around the world.
Spear Phishing has the potential to net massive profits for cybercriminals. In June 2015, technology company Ubiquiti Networks, lost more than $40 million in a targeted spear phishing attack, and over the last five years, the Carbanak cybercrime group have managed to steal over $1 billion from banks around the world by introducing malware through a spear phishing email.
The hard work spent researching potential targets is worth it if the crooks can manage to net the profits they are currently making. Spear phishing attacks are extremely difficult to detect and require an increasing amount of vigilance from staff to ensure they don’t fall victim.
Don’t overshare on Social Media
The massive growth in social media has made it so much easier for a spear phisher to profile their victim and glean lots of personal information that can be used in an attack. From a simple scan online, the crooks may be able to find out your job title, where you work, your email address, events you’ve attended and lots of other valuable information that can be used to make their scam seem as convincing as possible. You should regularly check and adjust your privacy settings to restrict what people can and can’t see on your social media profiles.
Question any Requests for Confidential Information
If you receive a request from a colleague to email over confidential information, do not automatically comply with the request. A common tactic used by spear phishers is to source a list of senior executives at a company and then send emails impersonating those executives to trick staff into revealing sensitive information. If you receive an email out of the blue asking for information such as passwords, corporate banking information or sensitive files, you should always question the request, no matter who it’s from, and check with the sender personally to confirm it's legitimate.
Don’t click on links within emails
Spear phishing attacks will always have a convincing hook to entice the user to click on the link, and if the email comes from a trusted source, it will seem even more credible. Always stop and think before making a hasty decision. Hover your mouse over the link to see the destination URL, and if something doesn’t seem right, don’t click.
Use Smart Passwords
Sophisticated hackers will guess passwords and use specialist software to test thousands of possible username and password combinations. To reduce their chance of being successful, it’s vital to use complex passwords. One of the best ways to do this, is to create a passphrase that is unique to you. Passphrases are longer, more complex and easier to remember than traditional passwords. A passphrase is a combination of words, letters, numbers, spaces and punctuation marks. The first letter of each word will form the basis of your password, and letters can be substituted with symbols and numbers to make it harder to crack.
Regular Cyber Security Training
To ensure that organisations are protected from targeted spear phishing attacks, it’s vital that staff receive regular Cyber Security Awareness training. Spear phishing attacks tend to be much more difficult to detect than a regular phishing attack. To ensure that staff are equipped to deal with these evolving threats, they should receive regular training on how to identify an attack and become familiar with the different methods that may be used to manipulate them into disclosing sensitive information.
Update Software Regularly
Security researchers are continually updating their anti-virus and security software to match the most recent attacks and patch any vulnerabilities that have been detected. These vulnerabilities are often exploited by hackers as a means to steal sensitive data, lock users out, or demand a ransom. Regular software updates will ensure that you have the most up to date versions released by the manufacturer, thereby reducing your chance of attack.
Use Multifactor Authentication
Adding an extra layer of authentication will make it much more difficult for an attacker to access sensitive company data. Multi-factor authentication is used to verify a user's identity when they are accessing an application. In addition to a password, multi-factor authentication requires a second or third piece of information to confirm the user’s identity. This makes it much harder for a spear phisher to compromise an account and gain access to sensitive information.
For further information on Phishing and the different forms it takes, check out our Ultimate Guide to Phishing. Despite the increasing sophistication of phishing attacks there are a number of ways you can protect yourself online. MetaPhish has been specifically designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combating cyber-crime. Get in touch for further information on how we can help your business.