Phishing attacks usually involve using email messages, pop ups, and websites that pretend to be from a legitimate bank, business, or well-known websites. People encounter these ‘lures’, and because they think they’re legitimate, they’ll share financial and personal information, login details, and contact information. Spear phishing, on the other hand is a little more sophisticated.
How Spear Phishing Works
Spear phishing works in much the same way, except that it’s highly targeted. Attackers send emails, set up pop ups, or create false websites members or employees of a particular organization, group, agency, or company would normally access.
Usually, these messages claim to be from someone who manages the computers or human resources at the mimicked website. They’ll almost always request login or personal information. The attacker then uses this information to gain access to the main system, and allows them to take over an entire computer.
Spear Phishing Attacks Expected to Rise
Several big brands have suffered security breaches in the last few years, compromising billions of users. Honda, McDonalds, Epsilon, Sony, and many other companies have all lost email lists or sensitive user information.
This information could easily be used by hackers to start spear phishing attacks. What makes this truly scary is that the information compromised in these original attacks could make it significantly harder to tell phishing emails from genuine ones.
Email Programs Aren’t the Answer
Don’t make the mistake of thinking email programs will protect you from spear phishing attempts. A recent experiment by PacketFocus found most of the big name email products, including Microsoft Outlook and Exchange, Outlook Express, and Cisco IronPort, failed to protect users. The experiment sent out spoof emails that resembled a LinkedIn invitation to connect with Bill Gates. The experiment had a 100% delivery rate.
PacketFocus’ CEO Joshua Perrymon says the reason these kinds of programs fail to protect users is because they’re based on blacklists. Spammers, on the other hand, often use sophisticated spear phishing attacks with new servers. Therefore, there isn’t time or a reason to get them blacklisted.
Protect Yourself
Education and awareness is crucial to thwarting spear phishing attempts. Take time to educate staff on how spear phishing attacks work and how to reduce their effects. All employees, regardless of how long they’ve been at the company, should receive regular courses and education to keep their defenses up and keep them up-to-date with the latest security dangers.
- Your online business habits matter too. Make sure when you, or your staff, sign up for vendor sites and other business related sites that you don’t provide more information than is absolutely necessary.
- When something suspicious does occur, make it’s easy for users to report incidents. But more than that, make sure any reports or complaints are acted on quickly.
- Set up a system to ensure all software and programs are updated regularly. This will minimize the amount of time security holes exist in your system. You’ll also want to check your site regularly and repair any weaknesses found. You may even consider penetration testing to ensure your security.
- To prevent hackers from using your site and stealing information from your customers, don’t use emails to gather information from your users or employees. Then, make sure your users and employees know that. This way, they know instantly that any spam emails requesting this kind of information are phony.
Be on the lookout for suspicious emails. Phrases requesting personal information or urging you to log in through a link are usually a pretty good indication that an email is malicious. Links are another feature to watch. In a suspicious email, a link might look legitimate, but when you hover over the link, the URL preview in the bottom of the browser is different. You also want to watch carefully for misspellings, typos, hyphens, and alternative Top level domains (TLD).
It’s easy to sacrifice security in favor of speed and efficiency, but considering the possible outcome, this sacrifice just isn’t worth it. Educate yourself and always be cautious about emails with links or information requests.
Author: Fglynn
Fergal is the director of product marketing and a writer for Veracode, where they feature cross site request forgery prevention. Fergal has spent most of his career working extensively in internet security and software development.
