Jan 08, 2018
Even as organisations improve their security, and begin to filter out the huge amounts of spam emails they receive each and every day, the security landscape is changing. Phishing attacks have evolved, and now organisations have a much bigger problem to contend with: spear phishing. Today, I'm looking at spear phishing attacks: their unique characteristics, the threat they pose, and six actionable ways to protect your organisation.
What is Spear Phishing?
Spear phishing is a type of targeted email scam. Highly personalised emails are sent to the employees of an organisation, from an apparently trusted source. The emails contain some form of malware, or a link to a website harboring malicious code, in order to extract sensitive information and login credentials. These attacks are often designed for the collection and resale of sensitive information. In some instances, they can even be used to cripple an organisation's IT infrastructure. Government and professional services industries are at the greatest risk of spear phishing, with large enterprise organisations bearing the brunt of the attacks since 2012. With more employees to target, the chances of success are greater; offering access to huge amounts of sensitive (and valuable) information in the process (Symantec Internet Security Threat Report, 2014).
6 Ways to Reduce the Risks of Spear Phishing Attacks
1) Raise Awareness of Spear Phishing
Spear phishing attacks rely on a handful of relatively simple principles, and by recognising the hallmarks of these types of attacks, it's possible for employees to identify attempts at spear phishing. Some common characteristics include:
- Unexpected or confusing emails.
- Written URLs that differ from the hyperlinks attached to them (like facebook.com leading to a website called facebbook.com).
- Poor spelling and grammar.
- Requests for personal information.
- The overuse of particular phrases, like 'Re:', 'order', 'payment', 'purchase order', etc.
- The email simply doesn't look right.
2) Create an Inbound Email Sandbox
Email sandboxing is a way of executing your email's software and attachments in a contained environment, separate from your organisation's IT infrastructure. After execution, the sandbox can be deleted, taking any malicious executables with it. If employees regularly receive emails with malicious attachments, sandboxing your email client can be a great way of allowing employees to engage with their emails, without putting the wider organisation at risk.
3) Create a BYOD Policy
Importantly, sandboxing will only offer protection to emails opened within the organisation's own email client. By accessing those same malicious emails through a personal email client, connected to the organisation's network, malicious software can still compromise the network. To reduce the risks of this happening, it's important to understand the impact of Shadow IT, and develop a defined Bring Your Own Device (BYOD) policy: a set of codified standards, rules and best practices for the use of personal devices in the workplace.
4) Improve Social Media Awareness
Much of the information used to personalise spear phishing emails is collected from social media. By encouraging social media awareness, and even rolling out social media security training, you'll help employees to secure their personal data, reducing the efficacy of spear phishing in the process.
5) Use a Password Management Tool
Many spear phishing attacks are used to collect usernames and passwords, to gain access to an organisation's software and data. The problem is worsened by employees using the same insecure passwords across multiple accounts, making it easy for hackers to gain access to dozens of secure systems. A password management tool will make it easier for employees to manage and use unique, secure passwords; reducing the likelihood that a single compromised password will cause a devastating amount of damage.
6) Address the Human Risk to Security
Spear phishing works because it targets the end-user, and in doing so, creates a way to bypass most conventional security systems. As a result, the only tried-and-tested way to reduce the impact of spear phishing is to educate your employees. This extends beyond spear phishing; by creating a culture of awareness, employees will feel empowered to identify, raise awareness of, and act upon all forms of potential security threats.