Spear-Phishing can be the most effective way that hackers and scammers attack your business. In one study, 50% of users clicked the link in a spear-phishing email. So how can you educate your employees on spear phishes, and most importantly prevent them.
What is Spear-Phishing?
Spear-phishing is a highly targeted form of a phishing email, using a direct target to send a manipulative email to users. Spear-phishes work by targeting an organisation with a highly specified email, with malicious attachments, links, or requests for information. This is then used by the hacker for financial gain, damaging companies reputations, or exploiting employees.
Spear-phishing differs from regular phishing due to the highly targeted and researched nature of the email. Rather than a generalised phishing email which hopes to capture anyones attention with a broad topic, a spear-phish will purport to be from a trustworthy source (e.g. A CEO, business partner, or client), and may even target a particular individual.
Further than this, often the hacker will research the target, your company for example, and send a highly specified malicious email. This form of attack will have the best effect for the hacker, as the more trustworthy the email appears, the more likely employees will not think twice about clicking any links or attachments as part of their day-to-day activities.
Why is spear-phishing so effective?
With a spear-phish, the hacker will have gained knowledge of the email address of someone in the company. This can be quite a simple process for the hacker. Many companies have very formulaic emails, and employees can have suffered a data-breach either indirectly (signing up to software or tools), or their information is directly given online (social engineering).
Once the address is known, it is as simple for the hacker as creating a very similar looking email address, using techniques such as an 'rn' as an 'm' in the hope that users will not be vigilant about the email address. In other cases, the hacker may have full access to the compromised email account, which adds extra-credibility and makes the users particularly vulnerable.
There are a few main reasons why spear-phishing attacks are so effective, we don't have time to list them all, so here are the top 5:
1. Hard to spot
Unlike a regular phishing email, a spear phish can be harder to detect. This is because it seems like it's coming from a legitimate source, or seems targeted to the end user. In the busy office environment, a spear phish can be more easily overlooked.
2. Difficult to block
Many companies rely on software to block potential phishing emails. However, these aren't always effective, and especially with a spear phish. As the sender can seem legitimate, requests can slip through, and the false sense of security provided means users are more likely to let their guard down.
An email purporting to be from a CEO or CTO etc. can cause concern to employees. They don't want to keep them waiting, and therefore are more likely to eagerly fill in the request, not thinking about the potential risk.
4. User's Are Relatively Unaware
A surprising amount of users are unaware of spear-phish emails unless they have been trained to recognise them. Unfortunately, if they do no realise that there is a threat, the end users will not be able to act appropriately.
5. The Offer Of A Reward
An email lands in the inbox of an end user offering an extra days holiday! The catch - The CEO wants you to sign up to a new platform. This classic "bait, hook, catch" phish can act as an effective way of getting end users to give up information in the case of a spear-phish.
Who Is The Target Of Spear Phishing?
There is a common misconception that the target of a spear-phishing attack will be the most 'valued' person in the company, the CEO or Finance Director. However, anyone can be the target of a spear-phish, it may just be the first email the scammer has available.
How Can I Prevent Spear Phishing?
Therefore, it is vital that everyone in the organisation is aware of the potential threat, and knows the necessary precautions to take. But if these attacks are so targeted and successful, what can be done to prevent them? The answer: training.
What is Spear-Phishing Training?
Spear-Phishing training will involve a range of activities designed to make your end-users aware, adaptive and responsive to the constant threat of a spear-phish.
Typically, this will begin by assessing your organisations vulnerability to a phishing attack. But how can you do this without risk? That's where simulated phishing comes in.
A simulated phish will imitate a real-life phishing attack against your users. You set it up as if you were trying to get your end-users to enter their information, however, instead of a malicious file, a simulated phish will record those users who submitted their information and show the potential risk to your organisation.
This will provide you with the metrics on which to base your training, making progress measurable. From here, you can decide about the best course of action for educating and training your employees to reduce this threat score.
Guide to Implementing Training For Your Users
Effective training is the key to reducing your risk of a spear phish. As these attacks often go undetected by software designed to block malicious emails, it's up to the employees to act as the last line of defence against a spear-phish attack.
That means that everyone in the organisation, from the top down, will need to know how to practice safe security habits when using company email in order to not give away any unnecessary information.
The Topics A Spear Phish Training Course Should Cover:
1. Not Giving Away Unrequested/Sensitive Information:
Often a Spear Phisher may pose as an IT manager, or CEO, asking you to go to a page to update your company information/password. Though this can happen in an organisation (which is why it seems legitimate), end-users must know not to divulge this information if not entirely sure it is from the original source. The best advice: if in doubt, double-check.
2. How and How Not To Use Your Company Email:
As mentioned earlier, many employees emails and passwords could be circulating around the dark web, making them the next potential victims of phishing attacks. Many large companies suffer data breaches; Facebook, Twitter etc. included. Employees must be taught to only use a company email to sign up for specific, company approved applications. That way if a breach is suffered, the organisation can react entirely. Although it may be tempting for some to get a free Netflix trial with your company email, it isn't worth putting the organisation at risk.
3. What and What Not To Post On The Internet:
The key to successful spear phishing is combining email addresses found online with readily available information about the end-user on the internet. That's why social media and other sites can potentially put you at risk. A hacker may find your email, look for details on your Facebook for colleagues or any information about the company, which can then be used to help provide legitimacy to their claims within the email.
4. Verify Requests Which Don't Seem Right:
This is a simple step, but something all end users should be taught, if they are unaware of a request, or think it's giving away too much information they should be encouraged to speak up. Many people will not simply talk to other members of staff and verify requests, which could easily display whether an email is legitimate or a phish. Having a company culture of security awareness is key to fighting spear phishing.
5. Have a Strong Password and 2-Factor Authentication:
The last step should be obvious, don't make it easy for the hacker to gain access to your account! By having complex passwords (the recommendation is 3 random unrelated words), and using 2 Factor Authentication, you can ensure your accounts are secured.
Enrol your users on a course instantly to educate them, and help prevent future phishing attacks.