Different Attack Tactics with Common Defenses
Highly targeted, spear phishing can be even more dangerous than traditional phishing. But there is common ground in the defense against both types of cyber attacks.
In the nautical world, boaters often say that a bad day of fishing beats a good day at work. In the cyber security world, any kind of phishing (that’s phishing with a PH) can ruin a day at work – or worse.
Over the years, phishing attacks have grown to be a favorite of the cybercrime world, where bad actors use deceptive emails, websites and text messages to successfully steal confidential personal and corporate information.
Lately, spear phishing has raised the danger of phishing to a new level of sophistication.
Understanding Conventional Phishing Attacks
But what exactly is spear phishing, and how does it compare to “just” phishing?
Traditional phishing attacks rely on a broad strokes approach, using rather generic, bulk email or text messages sent with the hopes of tricking at least one person into falling victim to the attack. These types of phishing messages are often quickly crafted and usually do not include personal information about the recipient.
Since they aren’t personal (and bad grammar can be a giveaway), bulk phishing messages are often correctly identified for what they are and quickly deleted. Even so, it’s true that many less attentive individuals are still prone to clicking email attachments and not thoroughly verifying a sender’s email address before responding. For that reason, cyber security awareness training and phishing simulation is a great way to teach and reinforce the importance of being cyber aware when it comes to email.
How Spear Phishing Compares to Bulk Phishing
Spear phishing, on the other hand, is much more sophisticated and refined than the “spray and pray” technique of bulk email phishing.
With spear phishing, savvy criminals are hyper targeting their attacks on individuals and businesses, carefully collecting personal data about their targets and then sending emails that appear familiar and trustworthy.
Unlike bulk phishing email that often look like a scam at first glance, spear phishing email seem believable because the cybercriminal has collected accurate information about the recipient, such as contact details, role and interests. This information is used in the email to trick the recipient into believing the email is legitimate.
What’s more, spear phishing emails are convincingly written as if they come from someone the recipient knows or trusts. Using a tone and voice that expresses urgency, the recipient is compelled to take action immediately to prevent large losses, a legal charge or a shutdown of an account.
These well-written messages often include links to fake websites or attachments infected with malware, ransomware or spyware. In some cases there are no attachments or malicious links at all, but simply contain instructions for the recipient to follow – making them even more difficult to spot with email security filters.
Relying on the natural human tendency to trust, spear phishing email blatantly ask the recipient to respond quickly, for example, to transfer a specific sum of money or to submit personal data such as a banking password.
And while many people are embarrassed to admit when they’ve been tricked by a spear phishing email, it doesn’t change the cold hard fact that this kind of sophisticated social engineering works.
Growing Spear Phishing Threats are Catching Individuals and Business Alike
In fact, according to a July report published by global insurance leader AIG, a form of spear phishing known as business email compromise (BEC) has eclipsed ransomware as the main driver of the firm’s cyber claims in EMEA. And a 2018 report by the American cyber security software vendor Symantec revealed that more than 70% of targeted attacks involved the use of spear phishing emails.
It seems cybercriminals are having luck successfully compromising both individuals and businesses.
For the unsuspecting individual, a spear phishing attack may involve an email that appears to come from the person’s bank or a reputable business such as Amazon. The message may appear to be a shopping notice or transaction confirmation request that entices the reader to click a malicious link or respond with confidential personal information that the cybercriminal can use for other crimes.
Clever criminals also attack businesses, often targeting a couple of employees at a given company. A legitimate looking email may be sent to the employees, appearing to come from their manager or a company executive, directing them to transfer money, reveal a password or provide confidential company information. The email typically has an air of urgency, giving victims the impression that the company will be in jeopardy unless the employee quickly takes the requested action.
7 Ways to Protect Your Organization Against Spear Phishing
While the danger of spear phishing is real and complex, there are a number of ways organizations can limit their risk.
Read on for seven practical ways to prevent spear phishing attacks.
- Educate, educate, educate. It all starts with education. Educate employees about spear phishing. Take advantage of free phishing simulation tools to educate and identify spear phishing risks.
- Use proven security awareness training programs and create champions. Going beyond freely available tools, use proven security awareness training and phishing simulation platforms to keep spear phishing and social engineering risks top-of-mind across the workplace. Take advantage of phishing microlearning modules that are easy to implement and capture workers’ attention. Develop internal cyber security heroes who are committed to keeping your organization cyber secure.
- Monitor and measure results. Empower and remind the security leaders and cyber security heroes in your organization to regularly monitor employee spear phishing awareness with phishing simulation tools. Identify metrics to ensure that your educational initiatives are changing behavior.
- Spread the good word. Launch an organizational awareness campaign that provides ongoing communication about cyber security, spear phishing and social engineering. This includes establishing strong password policies and reminding employees about the risks that can come in the format of attachments, emails and URLs.
- Limit access. In today’s BYOD (bring your own device) era, it’s important to establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.
- Keep patches and releases current. Ensure that all applications, internal software, network tools and operating systems are up-to-date and secure. Install malware protection and anti-spam software.
- Create a security culture. Incorporate policies and procedures, best practices, executive security awareness, change management and support into your corporate culture.
At the end of the day, while there are fundamental differences in spear phishing vs. phishing, the solution to both shares some common elements.
Spear phishing simulation is the best way to raise awareness of spear phishing risks and to identify which employees are at risk for spear phishing and phishing. Such simulations allow organizations to easily incorporate cyber security awareness training into their organization in an interactive and informative format.
People can see first-hand how personalized, seemingly trustworthy emails are used to steal personal and corporate information. Just-in-time training attached to spear phishing simulations is an effective way for any organization to educate people and increase alertness levels to spear phishing attacks and techniques.
Ultimately, implementing the right security awareness training program – complemented by phishing simulation exercises – creates an effective defense against the growing threat of spear phishing.
A great opportunity to increase awareness and visibility around the dangers of cyber threats and reinforce the importance of being diligent about phishing emails. Register today and claim your free phishing simulation!
CISSP, Global Channel Manager & Cyber Security Evangelist