Spear Phishing — On the Rise and How to Protect Yourself and Your Organization
Have you heard of spear phishing? It’s likely, since spear phishing has become one of the most common sources of company breaches, as evidenced by a mountain of reports from this year alone.
[In case you missed it: A method of using social engineering, spear phishing aims to obtain information through personalized email messages that are finely tailored to the target (often a C-Level employee or Manager, but not always). Effective spear phishing requires detailed information about the target, gathered through open-source intelligence (OSINT), which can be used to craft an email the target is likely to interact with. Once the target interacts with the email by clicking the link and going to the malicious website or opening the infected document, who knows what could happen? An attacker who has gained access can obtain access to intellectual property or customer data and can compromise, exploit, and damage systems.]
It’s time to buckle down with some scary stats and think about what we can do to keep ourselves safe.
Let’s start with the scary stats:
The Montana Office of Consumer protection has reported receiving numerous complaints involving a spear phishing scam in which the scammer impersonated a company executive and requested that a fellow employee give over the information on their W-2. Another spear phishing scam, levied against Ubiquiti Networks, Inc., cost the company lost $46.7 million. An unidentified company in New York City was victimized by a spear phish in which the attacker pretended to be an Asian-based vendor that they had done frequent business with in the past. That company lost $98.9 million.
Not scary enough? Let’s keep going:
On average, 30% of recipients now open phishing messages, and 12% will click on attachments, according to the 2016 Verizon Data Breach Investigations Report. The report also states that, “Phishing has continued to trend upward (like spawning salmon?) and is found in the most opportunistic attacks as well as the sophisticated nation state tomfoolery.” In addition, according to the 2016 Tripwire RSA Survey, more than 50% of 200 surveyed security professionals are not confident that their executives can spot a phish and that they have seen an increase in spear phishing over the last 12 months.
So, how do you protect yourself or your company? Of course there’s no one-size-fits-all solution, but we’ve made it easy for you to get a head start with the following three steps.
Install technical solutions
When it comes to technical solutions, a great first step is installing endpoint protection (devices or applications that can scan incoming and outgoing email and will open any the web links or attachments in a sandbox). These applications help isolate malicious web links or infected attachments and prevent them from harming your systems.
Aside from endpoint protection, you can also implement stronger authentication requirements for employee access to sensitive data and systems. Many companies put in place multi-factor authentication to this end.
Implement clear and consistent policies
Policies should be clear, concise, easy to understand, and consistent. A good communications policy, for instance, would be standard, convey a consistent message, and avoid confusing language. The policy could include what format emails should be sent in and guidelines for what shouldn’t be included, such as personal information or hyperlinks.
Why are policies about the format and content of emails important? Spear phishing relies on fooling targets that the email comes from a reputable source, often an internal source. If a good communications policy is in place, targets will be able to tell at a glance that a spear phish did not come from who it says it did because it won’t follow company guidelines. Easy peasy.
Train and educate all employees
Since technical solutions and policies can help but will not prevent all spear phish from getting through, another layer of protection that can help is the training and education of employees. Remember, a company is only as secure as its weakest link. Educating and training users, including the C-level executives, is vital.
There is no one cookie-cutter security awareness training program. Phishing awareness programs can send targeted emails with a link that sends employees who click on it to a training/education page or through CBT’s (Computer Based Training) that requires the employee will sit through videos and training modules. Either way, the focus of a good phishing awareness program is training and educating employees on how to recognize a malicious email and what to do when they do.
Companies that employ a combination of technical solutions, company policies, and security awareness training for employees, especially those that hold the keys to the kingdom, are well on their way to preventing themselves from becoming victims of spear phishing attacks. But for individuals that may not have the same extent of available resources as bigger companies — and even individuals within those bigger companies — , there are some basic individual steps that can help reduce the possibility of compromise.
It’s natural to be trusting, but we need to be suspicious of emails that request unusual information. If a vendor asks you to change the way they get paid, or you get an unusual request from someone in management, call to confirm. If someone is asking you for personal information, usernames, or passwords by email, question it. Why are they asking me for this? Is it normal for them to get this information this way? (Quick answer: No. It should never be normal to send usernames and passwords via email.)
Check the reply-to email address and validate that it is from a real person. If the email says it’s coming from someone you know, like a close friend, a family member, or a co-worker, confirm that it is really from that person. Check the domain and validate that it is from one that you recognize. (I can’t tell you how many times I’ve used domains that are close to the real one and successfully gotten the target to believe it.) Check the link in the email. Is that a legitimate domain? Remember to never click on a link in an email. If the link appears to come from a domain you recognize, go to the company website from the browser, not through the link.
Beware of social media
Attackers can use any of your public accounts to find personal information about you. Be aware of who can see your information, and, if possible, don’t leave it publicly viewable. Use those privacy settings you heard so much about. If you have your information about yourself and your family on your social media accounts, be wary of emails that are about subjects and events that are personal to you. For example, if you Tweet about participating in a run for cancer awareness, know that it can be used against you.
While following these steps will help you be more safe and secure, remember that we are only human. We will make mistakes, but we can limit the number and magnitude of those mistakes if we think ahead and preempt our security practices. If you work for a company, make sure you always report any malicious emails properly — and if you click on a link or open an attachment and something doesn’t seem right, call or email your security team right away. The worst thing to do is nothing. If you do nothing, the situation almost always gets worse.
It’s true, spear phishing is a growing threat, but we can combat it. We can use technical means, company policies and, most importantly, training and education to make us more secure.
Written By: Mike Hadnagy