Spear Phishing Attacks: How to Spot & Prevent Them

Phishing attacks continue to be a major concern, as big and small organizations across all industries are regularly affected. In fact, 76 percent of organizations reported being a victim of phishing attacks in 2017, which held steady from the preceding year, according to Wombat Security Technologies Research.

The same research also found that the effects of phishing attacks were more broadly felt in 2017 than in 2016, with an 80 percent increase in reports of account compromise, malware infections and data loss linked to phishing attacks.

One of the reasons why phishing is so popular among cybercriminals is that it allows them to easily access the most susceptible part of any network: the end users. Cybercriminals today no longer attack employees with easy-to-spot tactics such as sending spam messages. They have switched to much more sophisticated techniques that even cautious users may not notice until it’s too late.

What is Phishing and Who Does It Target?

Phishing is a type of cyber attack that attempts to coerce or trick users or targets into sharing sensitive information. Also referred to as “phishing scams,” phishing uses deceptive emails and websites to obtain users’ login credentials, financial information such as bank accounts or credit cards, company data, and anything that could potentially be of value.

Users or employees are susceptible to all types of phishing attacks, as they accidentally provide their personal information or credentials to fraudulent websites. They unwittingly download malicious software that carries various security threats such as viruses, keyloggers, bots, backdoors, and ransomware. Cybersecurity research conducted by Verizon revealed that a hacker sending out 10 phishing emails has a 90 percent chance that one victim will fall for it.

It’s hard to blame users because social networks, particularly Facebook and LinkedIn, serve up all personal information and contacts to make targeted spear phishing attempt or fraudulent email look legitimate. When the email appears to come from a legitimate organization, it’s so easy for any employee at a company to be deceived.

Perhaps, one of the most notable phishing attacks in history happened in 2016, when attackers successfully obtained the Gmail password of Hillary Clinton’s campaign chair, John Podesta.

What Is Spear/Targeted Phishing?

The most common type of phishing is the general, mass-mailed type, where an attacker sends an email to thousands of recipients in the hope that a small percentage of them fall for the trick. However, there are more targeted attacks, which are referred to as spear phishing.

As the term implies, spear phishing is used when an attacker is targeting either one or a small number of victims using a more personalized approach. Using knowledge obtained from a user’s social media profile and other public information, an attacker can create an email that looks legitimate enough to trick the target into responding. These emails usually appear to come from a trusted source like a friend or a company and ask for revealing information.

Imagine if a company’s “CEO” emailed several employees and sent them a meeting invite through Gmail, and the link in the email urged the employees to sign-in to Gmail to attend the meeting. Although the idea is the same — using a malicious link to obtain the user’s valuable information — spear phishing enables the attacker to personalize the attack in a way that creates more urgency and aims to get the victim to let his guard down.

Protecting Your Users from Phishing Attacks with Security Awareness Training

Cybercriminals usually attack companies through their end users. When end users unwittingly open malware attachments, click phishing links or disclose sensitive information online, attackers can easily bypass the company’s existing layers of security to successfully breach its network.

According to 2017 Verizon Data Breach Investigations Report, 90 percent of network security breaches stem from user error. These are the clicks and malware downloads that keep your company’s security professionals up at night. With as many as 30 percent of your employees unable to catch phishing email, how will you prevent attackers from stealing your company’s data? To protect your company and address tons of vulnerabilities that your day-to-day employee activities create, you need to provide your employees with a comprehensive security training program.

Security awareness training is a formal process for educating employees about the dangers of phishing or other online threats and what steps to take if they encounter an online threat. If your company needs to comply with different government and industry regulations, you must provide security awareness training to your employees to meet regulatory requirements.

With ongoing, relevant, and engaging security awareness training, such as phishing simulations, security best practices, courses on IT and data protection, companies can greatly reduce their chances of getting attacked due to user error. The security awareness training ensures that users, processes and technology are all harnessed effectively together to fight cybercriminals.

Teaching your employees how to recognize these types of security scams, and dozens of others, can be as simple as Security Awareness Training (SAT) classes. Free framework is available from the National Institute of Standards and Technology (NIST) if you’d like to set up your own classes.

DWD offers Security Awareness Training to businesses of all sizes.  Contact our network team to find out how your employees can learn to better protect your business from phishing attacks.