Currently, enterprises face a rise in spear-phishing attacks. In fact, spear-phishing indicates an escalation in phishing attacks marked by increased targeting and sophistication. Obviously, this constitutes a serious threat to your digital workflows and your bottom line.
The editors at Solutions Review line compiled the facts on the latest cybersecurity epidemic. Here’s what we found.
What is Spear-Phishing?
A phishing attack tries to disguise a cyberattack as a neutral or benevolent communication, usually an email. A phishing attack may ask the victim to:
- Input their security credentials in a linked webpage (usually to “confirm” it). This allows hackers to skim the information and use it to conduct a data breach.
- Click on a link. Often, clicking the link downloads malware onto that endpoint.
- Click on the message at all. In the most advanced cases, even opening the message downloads malware.
However, phishing attacks are often generic; they email victims on mass to try to fool as many individuals as possible. Thus, the overall payouts could end up rather low, especially with a low success rate.
Meanwhile, spear-phishing targets specific individuals and/or enterprises. To do so, the attack poses as a contact that the victim recognizes and trusts. This can include:
- A recognized institution, like the organization’s bank.
- A third-party, such as clients, partners, and vendors.
- Other employees of the business, including C-Suite Executives.
- Friends, family members, or other non-work connections.
Crucially, these messages look absolutely legitimate on a first pass. They may reference the right names, the right events, and even recent transactions. Further, spear-phishing attacks may direct you to a website that looks much like the legitimate one.
Here, the hackers behind the spear-phishing attacks look to increase their overall success by making the attack more targeted. The more genuine the message, the more likely the victim may hand over sensitive information. Therefore, the time investment in researching personal information may prove well worth it.
How Spear-Phishing Attacks Gather Info
Unfortunately, we live in an era of data proliferation. Hackers have their pick of sources to glean vital information about your employees or executives.
First, they can scan social media accounts. Just from that, hackers can scrape email addresses, friend names, locations, and possibly information on new purchases or places of employment. For attacks on businesses, they may use company newsletters or information from the company webpages (including press releases).
Additionally, hackers can use information from previous data breaches to learn where your business does business or banking.
How to Stop The Spears
The information contained in spear-phishing can fool even dedicated cybersecurity professionals. Here’s what you can do to avoid these attacks:
- Be wary of emails or communications that make urgent demands to click a link or input credentials. Hackers use urgency to trigger emotional responses and circumvent common sense.
- Remember, businesses never send emails asking for your username or password. If any business asks you or your employees for this information, disregard it immediately.
- Do not click email links. Ever. Even if you trust the institution or supposed emailer, do not click the links they specify. Instead, independently go to the legitimate website. Also, if the email asks you to call them, call using the number you can verify independently.
- You can check links’ legitimacy by hovering over the link with your mouse. However, hackers can spoof this information, so don’t trust it completely.
- Use multifactor authentication. That way, if hackers do get passwords, they can’t actually get through the security protocols.
- Establish a single point of contact for cybersecurity questions or concerns.
Also, you can select a SIEM solution for your business. In fact, our SIEM Buyer’s Guide has more information on the key providers and capabilities.
Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.