By this point, the dangers presented by phishing attacks are becoming increasingly well known. Business leaders recognize that information security awareness is critical for organizations of all kinds, and these programs need to focus heavily on phishing if firms want to remain protected in the current cybersecurity landscape.
However, to truly remain safe and minimize the risk of a damaging data breach, businesses need to account not just for generalized phishing attacks, but also spear phishing. Also known as social engineering, these efforts are more targeted, and therefore more difficult to recognize and combat. And as Computerworld recently highlighted, they are increasingly common.
Subtle attacks
While phishing emails are themselves more subtle than traditional cyberattacks, spear phishing efforts go even further in this regard. These attacks incorporate individual information from the cybercriminals’ targets, making the fraudulent messages seem more legitimate.
“One hacker created a fraudulent LinkedIn profile specifically to target employees.”
For example, the source noted that one hacker created a fraudulent LinkedIn profile specifically to target employees at a particular company. Once the targets accept the connection request, the hacker will have gained access to that organizations’ employees’ profiles. This in turn can enable a wide range of fraudulent activities.
Similarly, the source pointed out that some spear phishers will create fake emails purporting to come from LinkedIn. When the target clicks on the link, he or she is taken to a website which appears to be a legitimate LinkedIn page, but is actually owned and operated by the cyberattacker. When targets attempt to log in, the hacker learns their passwords. This can lead to not just identity theft, but also more ambitious attacks on the targets’ companies, using the illegally acquired personal information and credentials. From there, these incidents can develop into full-blown data breaches. After all, all a hacker needs in order to expose, steal or delete sensitive corporate information is a single opening in the company’s network.
Understanding the danger
Spear phishing attackers are particularly dangerous for companies because they are not only more convincing than typical phishing efforts, but also because they tend to frequently target individuals via social media. Employees will often include work-related information on their various social media accounts – not just LinkedIn, but also Facebook, Twitter, Instagram and others. The companies cannot exert much if any control on their workers’ private, personal accounts, and yet this presents a serious threat to their own security.
That is why it is so important for organizations to invest in employee information security awareness training that includes a well-developed, comprehensive phishing component. Workers need to learn how to recognize phishing and spear phishing attacks, and they simply will not receive this training unless their employers provide it.
Considering the difficulties of recognizing spear phishing attacks, and their growing popularity, it is critical for firms’ decision-makers to make sure they choose only the most reliable, well-regarded security awareness training solutions for their personnel. Anything less will likely fail to protect participants, and their companies, from these attacks.