Your IT Department

Don’t Get Hooked by Spear Phishing Attacks

Phishing attacks have been around for a long time.  Designed to steal your credentials or trick you into installing malicious software, they have persisted because they have been so devastatingly simple and effective.  Today, a more modern and more effective version of the same attack is commonly used.

A typical phishing attack involves an attacker sending out a malicious email to hundreds of thousands, if not millions of users.  The attacker’s email is designed to look like it comes from a bank, financial service, or even the tax office. The aim is often to trick an employee into logging in to a fake online service. The fake service captures the login details you enter. The attacker can then use them to enter the genuine service later.

By sending out tens of thousands of emails at a time, attackers can guarantee that even if only one half of one percent of people fall for it, there is a lot of profit to be made by draining accounts.  These types of attacks still persist, but people are generally wise to them. There are some telltale signs to look out for with a generic phishing attack.

Spear phishing is a more modern, more sophisticated, and far more dangerous form of the attack.  These attacks are much less generic. They target selected business, and often specific individuals withing that business.

A Convincing, Dangerous Attack

While a traditional phishing attack throws out a broad net in the hope of capturing as many credentials as possible, spear phishing is targeted and precise.  The attack is aimed towards convincing a single business, department, or individual that a fraudulent email or website is genuine.

An example of a Spear Phishing email
An example of a Spear Phishing attack. The email uses an alias to hide the real email address behind a fake which looks familiar to the user.

The attacker focuses on building a relationship and establishing trust with the target.  By building trust and convincing the target that they are who they are pretending to be, the user is more likely to open attachments, follow links, or provide sensitive details.

They will spend time looking at social media accounts to build up knowledge of the individual. Senior executives and those with access to bank accounts should adhere to strict guidelines to lock down their social media accounts to those they don’t know. It is worth providing all staff with guidance on what should and shouldn’t be shared via social media accounts.

Consider how many times you have followed a link or opened an attachment just because it has come from a contact you have trusted before.

A Trusted E-mail

The malicious email can appear to come from a vendor you deal with regularly.  It may even look like an invoice you are expecting to receive.  Often attackers can simply substitute the vendors’ banking details for their own, hoping the target will not notice the difference.

Such an attack is very difficult to detect.  It takes a keen eye, strong working knowledge, and constant awareness to keep your company protected.  Even a single small mistake by an unaware member of staff can compromise your business accounts.

Defending Your Business Against Spear Phishing

Whenever you deal with a vendor in a business transaction, you should always consider important questions before proceeding.  Are you expecting this email?  Is the vendor attempting to rush you into a quick decision or transaction?  Have you checked all the details are correct and as you expected?  Sometimes a simple query to the vendor can protect you against worst-case scenarios.

The key to stopping a spear phishing attack is education.  Learning attack techniques, and how to protect against them, is the single biggest thing you can do to enhance business security. Your people are your first and last line of defence, and often your biggest weakness.

How We Can Help

Trained and aware employees are critical to securing an organisation. An effective, ongoing internal security awareness program can help reduce your company’s vulnerability. This can turn the “weakest link” in your cyber defences into its greatest strength.

Security awareness training and phishing simulations go hand in hand. Spear phishing has become very sophisticated as criminals have found ways to make their emails as realistic as possible. Phishing simulations test employees on how they would respond to a real-life phishing attack.

We can send these mock attacks at staggered times, avoiding the “prairie dog effect” where employees warn one another of the email. This gives the best measurement of all employees’ awareness. We’ll track who’s clicked on a phishing email, who has given away their password and who has ignored the email.

We’ll deliver interactive educational videos to the most susceptible users. These easy-to-understand, short and visually engaging training videos include an online quiz to verify the employee’s retention of the training content.

To speak to us about security awareness training and simulated phishing attacks contact our experts today! Call us on 0115 8220200

Bonus! FREE eBook & FREE Cyber Security Assessment

We offer a FREE cyber security assessment. Find out if your business needs one with our eBook ‘Does Your Business Need A Cyber Security Assessment