The business technology world of today is growing increasingly concerned with the advent of one, particularly devastating type of attack that any business could fall victim to. While many have heard of the traditional “phishing” attack, where an email or direct message poses to be a colleague or legitimate business when it’s in fact a hacker, a similar attack known as “spear phishing” is now responsible for most of the nation’s phishing attacks.
Spear phishing may sound daunting, but it’s by no means an insurmountable problem. As cyber security experts at Complete Business Systems, we’ll run you through what spear phishing is, why it’s so dangerous, and how you can stop them from happening to your business.
What is Spear Phishing?
True to its name, spear phishing is a more innovative, highly-targeted version of traditional phishing. Think of traditional phishing as a sort of “wide net” phishing — the hacker casts a wide net, so to speak, by sending out phishing emails to hundreds, if not thousands of emails at once in the hopes that a few recipients will “bite” and click the malicious link inside.
Traditional phishing is a threat in itself, but it’s grown less insidious over the years. People have grown weary of strange emails sent to their inbox, many such emails even end up in the spam folder or are blocked by 3rd party spam filters. This, however, is exactly why spear phishing is becoming so dangerous.
If traditional phishing uses a metaphorical “wide net” to conduct attacks, spear phishing fittingly uses a spear: one, highly-targeted and highly-effective attack sent to a few people, or even just one person.
Spear phishing emails can appear startlingly realistic and convincing. They may contain the recipient’s first and last name, personal details harvested from their public social media accounts, info relevant to their job or duties, references to their colleagues or friends and family, among other pieces of information.
This is all in addition to a likely hand-made recreation of an email template or style that the recipient is familiar with — it may use one of their co-worker’s or higher-up’s email signatures, or use an email template that painstakingly recreates the look of a Google or Microsoft email.
How Do They Do It?
The main drawback of a traditional phishing attack is its widely-distributed nature. When a hacker sends out thousands of emails at once, they don’t have the time to customize them beyond a few words. Just as long as one employee falls for their hasty, often sloppy email, the hacker considers it a job well done.
This has lulled many in today’s workforce into a false sense of security. They feel that phishing emails will always be easy to spot, and will always have a certain sloppy look or will always have typos.
Spear phishing, by contrast, is much more polished. They capitalize on employees’ false sense of security by sending them a clean, professional-looking email, from a real and authentic email address, that in no way looks like an illegitimate message. A given employee, after glancing at the email and spotting nothing amiss with it, will be likelier to read on without noticing the attack.
Combine that legitimacy with a convincing, highly-customized opener (think, “Hi, [recipient name], I was just talking to [coworker’s name], she and I forgot the password to our new database and she told me you might know it off hand. Could you help us out?”), and that employee is much more likely to click on a link or send over a piece of sensitive information.
Without prior warning and training from a security partner like Complete Business Systems, you may find yourself or someone on your network compromised.
Why is Spear Phishing So Dangerous?
To sum it up, spear phishing preys on our innate desires to be helpful, cooperative and/or productive, right after it disarms us with a nice, convincing coat of paint.
Not all spear phishing attacks come from offshore, either. Right here in the US, business competitors, cyber criminals, and even one’s own personal enemies are all capable of conducting spear phishing attacks. No matter where they come from, however, spear phishing attacks may very well be responsible for your next data breech or digital breaking-and-entering.
How You Can Protect Against Spear Phishing
Beyond the technological solutions, like spam filters and email monitoring programs, the main way to prevent spear phishing attacks to identify the risks within your company, and to go about making sure those risk factors are solved.
These risks most often manifest as individual employees. Those who are less tech-savvy are more likely to fall victim to a well-executed spear phishing attack, as well as those with less experience in online communication.
One of the best ways to go about ensuring all employees are aware of the warning signs of spear phishing, is employee cyber security training. When your business partners up with a firm that conducts this training course, a faux-spear phishing email is sent out to key individuals in your company. The firm will use those individuals’ key information to craft a legitimate-looking email, then will report back which employees, unfortunately, fell for that fake spear phishing email.
This process, also known as a phishing simulation or phishing awareness training, spreads awareness of phishing throughout your company organically. Those who were fooled by the fake spear phishing email will, at the business owner’s discretion, referred to a phishing awareness training session. From there, those employees will be in a much better position to resist and recognize future phishing attacks.
In addition, employees can check the email addresses of emails from outside domains for validity, see if the sender is in their contacts list, and never ignore warnings from their email programs, like Gmail and Outlook, if and when they appear.