Anyone with an email account has been subject to spam. It happens so quickly, one day you get that first piece of unsolicited email and then the next you’re being flooded with ads, flash sale offers, and foreign bank transaction requests in your inbox.
While spam emails can be annoying, they’re mostly harmless and you can see them from a mile away and respond accordingly. Spear phishing emails are dangerous, and they’re harder to detect.
What is Spear Phishing?
In general, phishing is the practice of sending fraudulent emails from what appears to be trusted sender, like a family member, bank institution, or businesses you frequent. Phishing and spear phishing attacks both follow this practice, but the similarities end with the strategy they use to get your information.
Regular phishing attacks hope to catch whoever falls for their scam. Spear phishing emails, on the other hand, target users that have specific access to the information hackers want. These users could be accounting employees, IT professionals, or executives.
Spear phishing emails are tailored to look, sound, and feel legitimate. The messages generally contain a grab for confidential information, such as a link you can follow to change your password, download attachments, or answer the request for sensitive employee data. Regardless of what form it takes, if you follow the email’s instructions, your computer and organization are immediately compromised.
Spear Phishing Affects Everyone
The number of spear phishing attacks on organizations continues to climb year over year. Cybersecurity growth has spiked to anticipate these security concerns, but that doesn’t mean companies who follow best practices are completely protected from a potential attack. Employees can easily fall victim to these scams without ever realizing something is wrong, and the repercussions of a single instance of infiltration can be crippling.
Spear phishing attacks affect a multitude of industries, high in industries including logistics, retail, public administration, finance, and services. The cost a successful attack can cost a company? No small amount – on average, $1.6 million.
How to Protect Yourself Against Spear Phishing
If you’re concerned about the danger of spear phishing attacks or are looking for ways to make your environment more secure, we suggest you implement these seven steps in your company. They may help stop a potential attack before it can begin.
- Keep your systems up to date with the latest security practices
Check your operating system frequently for the latest security patch releases. If you use Windows, Microsoft is always updating and promoting their security patches, especially if they foresee a new security concern and want to fortify their users. Like Microsoft, Apple, Linux, AIX, and VIOS operating systems also have security patches. New ones are released as industries risk to meet and predict new phishing attacks. Keeping your systems (both customer-facing and internal systems) up to date can make a huge difference, along with installing new security patches whenever possible to avoid gaps in protection.
- Encrypt any sensitive company information you have
File encryption is a great way to protect sensitive company data from prying eyes. No matter what kind of data you need to send, with the right tool, it can be made difficult for outsides parties to decrypt even if they get their hands on it.
What should you encrypt? Here are a few examples that limit the amount of damage a spear phishing attack could do to your organization:
- Hard drives
- Cloud storage
- Passwords and security questions
- Internet activity (using a VPN or masked IP address)
- External storage (USB drives, external hard drives)
- Files (business contracts, audit reports, tax documents)
A managed file transfer solutioncan encrypt your files at rest and in transit using modern, secure encryption methods. Ideal MFT software will help to ensure that you stay up to date as encryptions standards change over time, while making your data transfers simple to manage and audit.
- Use DMARC technology
Spoof emails from suspicious email address are not safe to answer. Far too often, hackers can spoof the FROM field of an actual email address, such as JoeSmithCEO@company.com, and send a message with that address to company employees.
Because these emails look real; they often result in successful phishing attacks. DMARC (Domain-based Message Authentication, Reporting & Conformance) technology uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to analyze incoming emails against its database. If the email doesn’t match the record for the sender, DMARC rejects it and submits a report to a specified security admin.
Patrick Peterson is a visionary leader at Agari, a company that prevents cyber attacks and secures email for Fortune 1000 companies. He addressed the growing need for DMARC in a recent data security panel: “A very important aspect in email security is making sure your email provider uses technology like DMARC. It’s the only email authentication protocol that ensures spoofed emails do not reach consumers and helps maintain company reputation. Top tier providers like Google, Yahoo, Microsoft and AOL all use it to stop phishing.”
Despite the benefits of using email authentication technologies, DMARC and other protocols like it are not without error. In May 2017, Google fell victim to a spear phishing attack when hackers successfully sent emails containing fraudulent Google Doc links to Gmail users. Although the attack was stopped within the hour, over a million accounts were unfortunately compromised.
While we still recommend implementing DMARC into your email, consider it one of the many tools you should utilize to secure your data, users, and company.
- Implement multi-factor authentication wherever possible
Many businesses have implemented multi-factor (MFA) into their security routine. Some, like Google, allow their customers to turn on MFA as a precautionary measure. Others require clients to enter a sequence of personal details to access their account.
Multi-factor authentication is a simple way to ensure anyone who accesses your private data is legitimate. It works by requiring at least two pieces of identification, such as a login and a randomly generated token. This makes it indefinitely harder for hackers to compromise your systems – even if they have half the information needed to get in.
Though not perfect, it gives an extra layer of security and protection against spear phishing attacks and other potential data breaches.
- Make cybersecurity a company focus
If cybersecurity is not a central focus in your organization, it should be. When security is first and foremost in your mind and the minds of your employees, better decisions can be made, and more precautions can be taken. This enables you to prevent spear phishing attacks before they become a concern.
Here are a few ideas to get you started:
- Document and send internal security procedures to your employees
- Create a cybersecurity policy and data breach response planfor your organization
- Schedule quarterly meetings with key players to review the latest spear phishing attacks in the industry
- Identify potential spear-phishing targets and brief them on the actions they should take if they receive a questionable email.
- Review employee roles and access regularly, including third party vendors, partners, and those in remote offices. Adjust as necessary.
- Educate your employees and regularly test their knowledge
A large number of cyber attacks are successful due to employee error. The most common method used in these cyber attacks to compromise data? No surprise – spear phishing.
Spear phishing emails are rarely transparent. One believable email from a spoofed address is all it takes to gain access to employee credentials and, from there, sensitive company information. But the good news is, human error is avoidable with some training and education.
Talk to your employees about the reality of phishing attacks. Set aside time at the nest company meeting to educate on what spear phishing attacks look like, what they do, and what the necessary steps are to take if one is encountered. Documenting quick guides to internet security and making them available on your network can be helpful.
The more opportunities your employees have to learn about spear phishing and other scams, the better prepared they’ll be if they encounter something suspicious.
- Confirm suspicious email activity before interacting with it
If you receive an email by someone you trust, but you’re not 100% positive if it came from them, take the time need to confirm it indeed was from them. This could be as easy as sending the person a separate email first, stopping by their office, or calling and asking.
The small amount of time it takes to confirm and establish validity is worth the trouble, no matter the outcome. If the email is legitimate, then you can have peace of mind. Worst case scenario? It’s a spear phishing email, but you still can have peace of mind, and the person you spoke with can now warn the appropriate individual(s) in the organization of a potential phishing attack.
Spear phishing attacks happen every day. Even though they’re an important security concern, they don’t have to be a problem if you plan ahead, prepare your organization for attacks, educate your employees, and encrypt your data.
Looking for more tips to help you combat cyber threats? Watch GoAnywhere’s on-demand webinar, where top cybersecurity experts discuss how you can protect your company from data breaches and avoid security risks.