Here is everything you need to know about spear phishing so you can avoid it like the plague
Many small business owners believe that spear phishing is something that only large enterprises are at risk from. That couldn’t be further from the truth...
A recent report by IDC found that 71% of data breaches now target small businesses, and more than 90 percent of all cyber attacks begin with a spear phishing email. Added to that, the latest State of the Phish by Wombat Security reports that 53% of information security professionals reported experiencing spear phishing in 2017, and nearly two-thirds of these were attacked between one and five times every quarter. Whether you are ready or not, now’s the time for you to take notice.
What is spear phishing, who uses it, and why?
Spear phishing is the act of targeting a specific individual, organisation, or group of people with malicious intent. This could be a CEO, a select group of managers, a high-level executive or any employee considered to be of ‘high value’ to the phisher.
For small to medium enterprises, this could include an attacker pretending to be a supplier to your industry, or someone sending an invoice to one of your financial team asking for payment (using a name, email address and role found through LinkedIn). Attachments could contain data-stealing malware or be used to fool you into parting with your money.
The biggest difference between generic phishing attacks and spear phishing is in the detail. Spear phishing is one of the most dangerous types of phishing because each campaign is well-researched and well-produced and therefore difficult to spot from legitimate emails your company might send and receive. This means people will be far more susceptible to the bait.
Very small businesses, in particular, find spear phishing a challenge as they are unlikely to have the internal processes in place to prevent an attack.
Small businesses are a prime target for spear phishing because:
- They are less likely to be actively looking for spear phishing emails
- They probably don’t have the right security in place to protect themselves
- They are unlikely to have invested in staff awareness training
There are generally two motives behind spear phishing. Stealing confidential information or swindling you out of money. Regardless of the reason, the very first goal a spear phisher needs to achieve is to infiltrate your corporate network.
A phisherman will have your business profile and specific employee details collected and stored before an attack even begins. These are almost always procured via social engineering, either through researching a company on LinkedIn, or following you on Twitter or Facebook for example. Generally, the cyber criminal will have secured the details of individuals who can access the money, use and store customer information, or look after other high-value data for the business.
Who is at the most risk of being spear phished?
While traditionally the common targets of spear phishing were high-level employees with access to all the sensitive data, nowadays anyone within your company can be a potential access point for phishers.
However, the two most common departments to receive spear phishing emails are HR and Accounts.
HR is considered an easy target because they receive an abundance of email from external sources. C.V.s are sent as attachments from sources that are not known or verified, and unsuspecting employees might not think twice about opening these documents without checking them first.
Accounting departments obviously hold the key to all the money, making them very popular for spear phishers. They deal with a wide variety of people, from suppliers to contractors and regulators. They regularly send and receive invoices and work with money and banking software that requires logins and passwords. Successfully spear phishing an accounts team can win a criminal the big bucks.
Another fairly common victim is system administrators and IT staff. Phishers interested in hacking systems to spy on companies will target this group of people to gain access to your network systems and processes. Then they’ll watch and wait for an opportunity to attack further.
A successful attack can also cost a business a damaging amount of money. With the average cost of a cyber breach to SMEs standing anywhere between £75,000 - £310,000 according to PWC, knowing how to adequately protect your business is critical.
And it’s not just stolen money. Some of the other costs to a business from a spear phishing attack include:
- Loss of data
- Damage to IT systems and networks
- Replacement of infected devices
- Notifying customers and stakeholders, with the potential of having to pay compensation
- Re-building brand confidence
- Investigation and legal costs
- Dealing with regulatory bodies and the potential for fines
- Penalties from banks (for losing customer data for example)
- Damaged reputation
- Loss of profit while systems are down
How to protect your business from a spear phishing attack
Spear phishing requires a more comprehensive and eagle-eyed level of security than most other types of cyber attack.
Here are 8 actions you need to take to stop spear phishing from being successful…
1. Never click on a link or open an attachment from an unknown source. Get into the habit of thoroughly checking emails before doing anything at all.
2. Never send financial information or sensitive data electronically, regardless of how well you know the recipient
3. Only share sensitive data like usernames and passwords on secure websites. Check you have the https:// web browser address before doing anything
4. Always be wary when you receive an email asking you to provide confidential information of any kind. Check with the sender over the phone that it was them sending.
5. Regularly check your business online bank accounts and statements to ensure there is no fraudulent or strange activity
6. Avoid logging into online banks or other important business accounts when you’re on public Wi-Fi networks. Open networks can be created by cyber attackers to trick you.
7. Always check any link you are sent before clicking it. Look for misspellings or irregularities. And if you want to follow the link, instead of clicking, open a new window or tab and enter the URL or part of the URL manually to check it’s okay.
8. Always check a sender’s full email address. Spear phishers can trick you by using the full name of someone you know, but the actual email address will usually be quite obviously fake.
Alongside these general security tips, a small business can do two things company-wide to protect from spear phishing.
• Employ a multi-layered security system
In an ideal world, spear phishing emails should never reach an inbox. There are several different software services that can block many malicious messages, attachments, and links (we can help you find the best one for you).
And yet fraudulent emails will still slip through the net. That’s why a multi-layered security system that provides end-to-end protection for your business is the best bet. You can read about how to set up your own multi-layered system here.
• Educate employees on the risk
An adequately educated workforce can be your secret weapon in the fight against spear phishers. With all eyes trained to spot attacks, you’ll be in a much better place to ensure you can prevent data and money from being lost or stolen.
With phishing attacks unlikely to dissipate anytime soon, implementing a phishing awareness training program for your team is an investment in your business’s future.
At Xenace, we created Phishwise for this very reason. It’s an interactive learning platform for companies to educate their employees on how to spot an attack and what to do to avoid them. For more information visit our website or contact us now for an informal chat.