Spear phishing is a specific cyber-attack that is aimed at an individual or individuals that are associated with an organization.
The US Federal Bureau of Investigation (FBI) gives this example: “Customers of a telecommunications firm received an e-mail recently explaining a problem with their latest order. They were asked to go to the company website, via a link in the e-mail, to provide personal information—like their birthdates and Social Security numbers. But both the e-mail and the website were bogus.”
The key to spear phishing is that the criminal knows something about the recipient. In the FBI example, the criminal knows that the recipients were customers of a telecommunications company. It’s that small piece of information lends credibility to the scam.
Imagine your staff getting an email from a criminal that says they would like to place an order at your restaurant, it includes a word document with instructions to enable editing, and therefor open the floodgates for malware. This is exactly what happened at the restaurant chain Chipotle when millions of customers’ credit card numbers were stolen.
It differs from a phishing attack that is not targeted to a specific group. In a traditional phishing attack, there is no information that shows that the sender knows who they’re reaching out to.
How to prevent spear phishing
The most important way to prevent spear phishing in your business is education. Teach your staff what to look for and make sure that they understand the dangers of spear phishing.
Here are some of the guidelines that you can teach your staff to prevent spear phishing:
● Simply never use links in emails - Teach staff to never click a link in an email. If a bank or even your company requests that they log in or make changes, they should go out to the internet and type in the web page themselves.
● Verify URLs - Every hotlink in an email or even on a website redirects to someplace else. Teach staff to look at the URL more than once before clicking anything. One of the tricks that criminals use is to create a close approximation of a domain. For example, to trick someone into clicking a page, they will change www.usbank.com to www.usbenk.com. The name is close enough to trick someone who is not reading closely.
● Never give out personal data - One simple rule to institute is to tell staff to never share any information like passwords or account numbers. Unless they are instructed to do so by management, they should never share any information. They also should never share it via email or any other electronic medium. Anything typed into a computer connected to the internet is susceptible to having information stolen.
● Be careful with social media - The more information that employees put on social media, the easier it can be for criminals to spear phish them. Criminals can use online information to increase confidence in the recipients.
Spear phishing prevention with software
There are several steps that you can take using software that can protect your company.
● Keep your software up-to-date - Spear phishing uses malware to infect your system. By having the most recent patches and security software, you can minimize the risk of the malware if it arrives.
● Antiviruses are always a necessity, look for software that scans and updates itself constantly, it could prevent malware from getting a foothold on your server.
● Encrypt sensitive data - File and data encryption is a great way to keep spear phishers from being able to use the data. All of the sensitive data on your network should be encrypted. This keeps any data that a criminal receives from being useful for anything.
● Multifactor authentication - If someone asks for an employee’s password, but there are multiple layers of protection, the password is useless. For example, if your system is protected with passwords and biometrics, a password is useless.
Staying safe from spear phishing
All spear phishing is based in human behavior. The best way to make sure that your system stays safe from spear phishing is to teach your staff what to avoid.
The technological solutions are powerful, but education is the most important elements.