Spear Phishing Threats: What they are and how to protect your company
Phishing scams are becoming increasingly sophisticated every year. The phishers are doing more research, and the technology to harm people is becoming more advanced. It is important to keep up to date on various phishing methods, so you know what to look out for.
What Is Spear Phishing?
Typical or ‘basic’ phishing scams are generalized and cast a net over a large group of people. Spear phishing, on the other hand, is a phishing attack that specifically targets victims that the phisher deems as having high value. Emails are customized to fit the recipient, and usually masked as appearing to come from someone the recipient knows or with whom they are familiar. Phishers then target individuals within your organization who have access to resources or those with valuable information.
How Does Spear Phishing Work? Lots of research and planning goes into these attacks, so they are often successful if they are executed properly. Spear phishers commonly find personal information that is publicly available, things that can be found on sites such as Facebook or LinkedIn. Emails, phone numbers, and other personal information can be found here that help phishers learn about their victims and form a believable story. The phisher will contact their victim, appearing to be legitimate due to their knowledge and/or masked email label, and attempt to acquire money, sensitive information, or infect the victim’s device with malware. How Do I Avoid Spear Phishing?
Avoid putting your personal information on public profiles. Warn your employees about putting their personal information out there as well, so that they can avoid being victims.
Set up email filters and warnings. If a phisher writes to someone in your organization, there should at the very least be a warning to your employee letting them know that this email was sent by someone outside of the organization and to proceed with caution.
Invest in a reliable anti-virus security software, particularly if there is sensitive information on your devices.
Be current with patches and updates. Many updates are added specifically to counter recently developed threats. Often these updates are only downloaded when shutting down your machine, so set up employee expectations that they will recycle their machine’s power at least once a day.
Educate your employees. They should understand the dangers of phishing, how to recognize it, and what to do if it happens to them. An uneducated person being victimized could be detrimental not only to him/herself, but to your company.
Understand who is at risk in your organization, either by job role or by system analytics that expose employees whose traits include opening attachments or links at higher rates than what is expected.
Provide education on how to create habits around verify that email address are not masked, or are not authentic as to who they say they are. For instance, recent spear-phishing targets have been owners of small businesses who cater to the federal government. Often emails with attached solicitations or purchase orders are sent by a name that appears to be legitimately employed and authorized to make purchasing decisions by a federal government agency. The email will look very similar to the legitimate person, as well, except for maybe one character or a different extension.
Set up protocols. Just because an email addressed to you or one of you employees seems legitimate, does not mean that it is. If you or an employee does not recognize an email address, or feels that something is off, there should be a way to verify that the sender is who they say they are. Set up this protocol now so that your employees know what to do if such an email arrives in their inbox.
Educate users on how to 1) be suspicious of this type of communication. 2) Show users how to read email labels, and other content that stands out as suspicious. 3) Set a protocol on searching the internet for independent verification and alternate ways to contact the sender other than replying to the suspicious email or reaching out to the contact information listed in the email's signature. When there is any doubt, the protocol should be to report it and ask for guidance before acting independently.
Set up a multi-person and multi-factor approval process for any payments. Establishing process controls now can save you a great deal of money down the line.
Do not be convinced that something is urgent. Employees should be encouraged to be skeptical and vigilant, as it is better to take a bit of time before answering an email than fall victim to a phishing scam.
Report phishing emails. If an employee receives a spear phishing email, even if they are able to foil it themselves, there should be someone in the organization to report it to. Other employees should receive an email warning them about these scams and what to look out for as well.
Perhaps your company’s service desk can filter these reports and escalated it appropriately. If you are small business without a service desk, consider having the point of contact for listed prominently on your internal company contact lists.
Here at USG1, we are committed to safeguarding our clients from external actors who want to take advantage of client vulnerabilities. Phishing methods of every variety continue to be the #1 way that businesses are compromised by external cyber-attacks. In 2019, cybercrime cost the world $5.2 trillion, and it’s only escalating with the increase of remote workers. To minimize cyber threat risk to your organization, USG1 helps clients with strategies and end-user training, so you can concentrate on what you do best: running your organization.