In the war against cybercriminals, we’ve learned to block messages from people we don’t know and avoid emails that have an excessive amount of capital letters, exclamation points and bad spelling. We’ve also generally recognized that we sadly haven’t come into a large fortune from a Nigerian prince if we just send him our financial information and a little bit of money.
But what if the email is from someone you know, with their email address, a normal-sounding subject line, and a reference to the new car you bought last month? They’re having money problems and need your help—if you just go to their Kickstarter website and donate, it would really help them out. Should you do it?
Nope. Not yet, anyway. That website your “friend” asked you to go to help him out may look legit, but it’s also a prime way to get malware installed on your computer without you even knowing. Suddenly, a stranger has access to your computer, your network and potentially your data, which spells big trouble.
What are spear phishing attacks?
Unfortunately, as we’ve adapted, so have the criminals. This type of attack is known as spear phishing, and it’s more and more common. It accounted for more than 90 percent of cyberattacks and resulting breaches in 2016, according to PhishMe’s 2016 Enterprise Phishing Susceptibility and Resiliency report.
Spear phishing differs from phishing in that it is a more targeted approach criminals take to get you to click on a link or open an attachment that installs malware or ransomware. Using information commonly found on the internet (a Google search, or your social media profiles), they can craft an email that is tailored to your interests, from a trusted source, and sounds convincing enough that you do what they want.
Cybercriminals tend to target more C-suite executives, but don’t think that just because you’re a lowly employee, you aren’t a target. Spear phishing campaigns are up 55 percent across the board. No matter who you are, you’re liable to fall victim to spear phishing. It’s wise to read every email carefully, think twice about posting potentially compromising information on social media, and be aware of what people are saying about you. The less information about you that’s out there, the less criminals have to leverage against you if they get into your system through other means.
Why does spear phishing work?
Spear phishing attacks are so successful in part because email filters are slow to catch on to the attempts. Hackers can make an email appear to be from a trusted source such as a friend, coworker, or government agency. The links the emails ask you to click on may have a legitimate sounding domain name, such as a crowd-funding or news site. The other reason they are so successful is because they are compelling enough for people to open and click on them. Organizations such as hospitals, government agencies, and even the Internet itself have been hit with successful spear phishing attacks.
How do you avoid spear phishing?
If you aren’t sure whether an email you received is real, the best way to verify it is by calling the sender to find out what’s going on. Remember, legitimate businesses or government agencies will never ask you for your password or financial information. Once you’ve verified that the email is real, feel free to do whatever you like with it. Until then, it’s best to keep it at bay and keep from clicking on any links.
Another tactic is to run simulated phishing campaigns within organization. Have your IT department send out a fake email (or emails) and see how many employees click on the link or download the attachment. Knowing who is more likely to click on a real phishing email and training them to read it differently can reduce the likelihood of an attacker entering your systems through phishing.
They say an ounce of prevention is worth a pound of cure, and that adage rings extremely true with spear phishing and cybersecurity. Once your data is lost, it’s lost for good, so keeping it from escaping in the first place goes a long way toward a solid security strategy.
Spear phishing, combined with other types of attacks such as ransomware, are becoming more and more prevalent. It’s important to be careful when opening emails, even if you know the sender. Be sure to verify with the person or company any emails that ask you for money or personal information. Vigilance and a healthy dose of skepticism go a long way toward preventing you and/or your employer from becoming victims of a spear phishing attack.