Blog Post
What is spear-phishing and how to avoid it
Spear-phishing is a targeted attempt to steal sensitive information such as financial data from a specific individual. The attacker uses personal information of friends, family members, work colleagues or associates to impersonate a trustworthy individual that is well known to the victim. Once the attacker has successfully impersonated the trusted individual, they then attempt to acquire sensitive data through emailing or online messaging.
Many phishing attacks are carried out with little to no background research on the victim, however, spear-phishing relies upon research conducted preemptively before the attack is carried out. The spear-phisher must research their target before they attempt to steal from them. They use the credibility of the information they have gathered to fool their victims’ but can occasionally use brazen tactics such as utilizing an email address similar to the victims' familiars in order to attain sensitive data.
An example of this would be if a CEO of an organisation had a trusted assistant with the email John.Smith@company.com. The spear-phisher might generate a similar email that appears the same at a glance such as JohnSmith@company.com, the full stop has been omitted but the address looks the same without close inspection. The attacker then emails the CEO under the guise of his trusted assistant requesting payment card data. The CEO might briefly glance at this email, see a recognisable name and reply. He may then send valuable payment card information directly to the attacker without realising. This would constitute a successful spear-phishing attack.
With this potential threat constantly looming you need to know how to avoid spear-phishing attacks. The following are steps that you can take to avoid falling victim to a spear-phishing attack.
1. Be vigilant.
Carefully inspect email addresses and links that are sent to you. They may look innocuous but that doesn't mean they are safe. Spear-phishers rely on you not paying close attention to succeed, so you need to be meticulous.
2. Update software regularly.
Become vigilant with your software updates. Software providers will regularly update their product to fix bugs and patch any holes in the software that could potentially open your business up to malicious malware or threats.
So in order to have the best defence against attackers, make sure your software is up to date.
3. Question requests.
If you are asked to provide information that you deem to be sensitive or important, question the reason behind the petition. For example, if an employee emails asking to use the company credit card, reply asking why it is necessary. Questioning may cause the spear-phisher to falter and cease their attempts to attain the data.
4. Never send confidential information.
This sounds like common sense, but if the spear-phisher has successfully impersonated a close friend of yours, you may be inclined to send sensitive data. The best way to keep safe in a scenario like this is simply to not send the information in the first place. If you are ever unsure, it is a good idea to consult your organisations’ IT professionals to securely send data and ensure it is going to the right person.
5. Implement a company-wide data security policy.
Educate employees throughout the organisation to make them aware of the threat of spear-phishing and explain the best ways to avoid falling victim to an attack.
Spear-phishing has the potential to yield huge profits for cybercriminals. This will result in the threat of the problem increasing due to its potentially lucrative nature. But with the right tools, training and an appropriate prevention strategy, you can keep your own data and your companies' data safe.