The Rise of Personally-Targeted Spear-Phishing Attacks & How to Defend Yourself From Them...

As we all become more wary about the tell-tale signs of a phishing email attack, criminals are turning to a more targeted approach to email scamming: the spear-phishing attack.

We give you the answers you need to help you to protect yourself and your users from a spear-phishing attack.

What is spear phishing?

We’re all familiar with a traditional phishing scam, where criminals send emails asking for credit card numbers, account information, or other personal or financial details that look as if they come from a reputable company or individual. These attacks are usually characterised by poor quality images and language (e.g. spelling mistakes) but are sent in huge numbers, relying on the fact that at least a few people will be fooled.

A spear-phishing attack uses the same scam, but in a much more targeted and invidious way.

What does a spear-phishing attack look like?

Typically, a spear-phishing email is sent to far fewer recipients and will look much more like a trusted source. This is because, before launching the attack, the attacker will have carefully gathered information about the intended target(s) – effectively using your web and social media presence against you.

By limiting the number of targets, it is easier to include personal information in the email – making them appear more valid.

For example, an attack might be focused on individuals who have posted reviews from a particular online retailer to their social profiles – making it easy for the attacker to send them an email “from the retailer” asking them about the product they reviewed.

In corporate attacks, a common approach is to make it look like the attack is coming from within your organisation. For example, in 2015, Ubiquiti Networks was the victim of a spear-phishing attack that was sent to its employees asking them to transfer funds overseas that purported to come from the company’s own executive team.

It isn’t uncommon for spear-phishing attacks to replicate organisational signatures, language and other email standards – making them genuinely difficult to spot.

All it takes is one employee to be rushing as they clear out their inbox and an attack could be successful.

How can you protect your company from a spear-phishing attack?

As well as being more difficult for your employees to spot because of the degree of preparation and personalisation, worryingly, a spear-phishing attack is also far more likely to sneak in under the radar of your email security tools.

This means, like any other security challenge, the solution is going to be a combination of education, policy, and technology. There are some email security tools available on the market which are specifically designed to prevent – or, at least, minimise the likelihood of – a spear-phishing attack reaching its intended recipient. These use machine learning to respond quickly to changing patterns in email traffic.

What can I tell staff to help them protect our business against spear-phishing attacks?

Education programmes are important to ensure all staff are aware of the risks. Extra vigilance when opening emails is required – even when they look as though they come from within the organisation.

If an email does arouse suspicions, here's a few tips for vigilance:

• Check the “from” field carefully – don’t assume the "displayed name" is the same as the email address it was sent from; it is easy to spoof a displayed name. If in doubt, right click to reveal the sender’s email address. Be wary of “nearly but not quite” domains which resemble those of other companies.

• If the email seems suspicious, it is worth verifying the contents/ request via another communication medium – don’t ask for confirmation by replying to the message. Use the phone or the company chat tool.

• If a company asks you to change your password then don’t use the link in the email. Log into your account with them as you would normally and check if the change is necessary from there.

• Never send personal or financial information in the body of an email.

We can’t always prevent personal information about our businesses and staff being available online; sharing a professional presence is necessary because of the way we do business today.

However, we need to be aware of how this information can be used against us and be wary of the changing methods criminal scammers are adopting in response to our improving defences.

Unfortunately, it is a continual battle – but, with the right education, policies, and technology, one that you can win most of the time. Just remember that the criminal only needs to be successful once to make it worth their time and effort.

Be vigilant! Every day!

If you would like some help with your IT Security education, policies or technology to guard yourself against IT security threats, then get in touch with the IT Security professionals at Grant McGregor Ltd.

We are accredited by the UK Government to assess and advise on IT Security best practice and we can help you with checking or improving your security with the Cyber Essentials security assessment and certification scheme.

Find out how we can help you here.

Photo credit: JTF Guantanamo via Foter.com / CC BY-ND