Spear Phishing Attacks - How to Prevent and Protect

Spear PhishingFishing, phishing, spear phishing?!  It's often hard to know the difference between types of cyber attacks.  Spear phishing is a highly targeted form of phishing that involves well-researched targets while posing as a trusted sender.  The goal of spear phishing is to either infect users with malware or to steal sensitive business information to commit crimes such as fraud and identity theft.

While regular phishing campaigns take aim at large numbers of targets, spear phishing uses specifically crafted emails that aim to penetrate one company.  These attacks can involve documents infused with malware or links to credential stealing sites to steal information or hack into payment systems. Spear phishing is particularly dangerous because the design of the campaign allows it circumvent email security such as spam filters.  Most don't contain harmful links or attachments, instead using spoofing techniques combined with social engineering, so they are likely not to be blocked.

The three most common spear phishing attacks are the following:

  • Brand impersonation - In this type of attack, the criminal pretends to be from a trusted brand or company.  The emails resemble communications from well-known banks, credit cards, technology companies and even governmental agencies.  The ultimate goal is to gain the target's credentials and get access to their accounts or to steal personal information to sell to others.
  • CEO Fraud or Business Email Compromise - The basic premise for this scam is that the attacker sends an email impersonating the CEO of a company to someone in a high level position in a department, like finance or human resources, and requests sensitive information or money transfers.  The FBI puts the estimate of losses from these types of attacks in the hundreds of millions of dollars.
  • Blackmail scams - These scams involve sending emails to people, demanding payments in bitcoin in exchange for keeping quiet about the victim's purported online activities on adult websites or even extramarital affairs!  The attacker threatens the victim to send video of the activity to all of the contacts in the victim's address book, their Facebook friends and the like.  But to avoid that, the attacker tells the victim that they can pay a designated amount of bitcoin and the evidence will go away.

With all of these attacks and attempts at extortion and stealing, how can a business protect itself from becoming a victim?  Here are several ways to consider:

  1. Be aware of unsolicited emails that call for urgency.  If an email looks strange, verify with the person sending the email that the request is legitimate.
  2. Train employees to recognize and report attacks - A security awareness training program is an absolute must in today's tenuous cyber environment.  Teaching employees how to identify and report spear phishing attacks is critical in keeping attacks at bay.  Through simulations for emails, voicemails and texts, businesses can train their employees to identify spear phishing before being compromised.
  3. Don't click on links or attachments from unknown sources.  This seems intuitive, but if the email appears to come from someone you know and trust, you may not think twice.  Always make sure the sender is real.
  4. Block threats that arrive via email using hosted email security and antispam protection.

Spear phishing is a real threat to today's businesses, and how to prevent these attacks takes a multi-layered approach.  Fraser can work with your business to create a program that protects you and your sensitive information from today's hackers.  To learn more about Fraser's security programs, contact us today.