Spear phishing is a specific cyber-attack aimed at an individual or individuals that are associated with an organisation.
The US Federal Bureau of Investigation (FBI) gave the following example: “Customers of a telecommunications firm received an e-mail recently explaining a problem with their latest order. They were asked to go to the company website, via a link in the e-mail, to provide personal information—like their birthdates and Social Security numbers. But both the e-mail and the website where bogus.”
The key to spear phishing is that the criminal knows something about the recipient. In the FBI’s example, the criminal knows that the recipients were customers of a telecommunications company. It’s that small piece of information lends credibility to the scam.
The dangers of spear phishing
Imagine your staff getting an email from a criminal that says they would like to place an order at your restaurant. The email includes a word document with instructions to enable editing, and therefore open the floodgates for malware. This is exactly what happened at the restaurant chain Chipotle when millions of customers’ credit card numbers were stolen.
Spear phishing attacks differ from phishing attacks in that they are targeted to a specific group. In a traditional phishing attack, there is no information that shows that the sender knows who they’re reaching out to.
How to prevent spear phishing
Educate and train employees
Education is the most important way to prevent spear phishing in your business. Teach your staff what to look for and make sure that they understand the dangers of spear phishing.
Here are some of the guidelines that you can teach your employees to prevent spear phishing:
● Simply never use links in emails
Teach your employees to never click a link in an email. If a bank, or even your own company, requests that they log in or make changes, they should go to their browser and type in the URL themselves.
● Verify URLs
Every hotlink in an email or even on a website redirects to someplace else. Teach employees to look at the URL more than once before clicking anything. One of the tricks that criminals use is to create a close approximation of a domain. For example, to trick someone into clicking a page, they will change www.usbank.com to www.usbenk.com. The name is close enough to trick someone who is not reading closely.
● Never give out personal data
One simple rule to institute is to tell employees to never share any information like passwords or account numbers. Unless they are instructed to do so by management, they should never share any information. Moreover, they should never share it via email or any other electronic medium. Anything typed into a computer connected to the internet is susceptible to having information stolen.
● Be careful with social media
The more information that employees put on social media, the easier it can be for criminals to spear phish them. Criminals can use online information to increase confidence in the recipients.
Spear phishing prevention with software
There are several steps that you can take using software that can protect your company.
● Keep your software up-to-date
Spear phishing relies on malware to infect your system. By having the most recent patches and security software, you can minimize the risk of the malware if it arrives.
Antivirus software is, and always will be, a necessity. Look for software that scans and updates itself constantly. It could prevent malware from getting a foothold on your server.
● Encrypt sensitive data
File and data encryption is a great way to keep spear phishers from being able to use the data. All of the sensitive data on your network should be encrypted. This keeps any data that a criminal receives from being useful for anything.
● Multi-factor authentication
If someone asks for an employee’s password, but there are multiple layers of protection, the password is useless. For example, if your system is protected with passwords and bio-metrics, a password is useless on its own.
Staying safe from spear phishing
All spear phishing is based on human behavior. Therefore, the best way to make sure that your system stays safe from spear phishing is to teach your staff what to avoid.
The technological solutions are powerful, but education and security awareness training are the most important elements.