Traditionally, phishing attacks have targeted consumers with random spam in the hope that that some small proportion of the targets are naive enough to install malicious software or hand over login details.
But in recent months, spear phishing, which targets specific individuals and organizations, has become increasingly common. Spear phishing is of particular concern because the majority of companies don’t have training programs to make executives and IT staff aware of the dangers or the signs they’re being targeted.
In a typical spear phishing attack, criminals research the target company using publicly available information, often social media and the company’s website. The aim is to discover someone in the company to target and sufficient background knowledge to convince them of the authenticity of any communication.
As an example, an attacker may send an email to a low-level employee that represents itself as being from a senior executive. The email may request that money is transferred from one account to another or that login details are forwarded to the sender.
Spear phishing is surprisingly effective because when employees receive instructions from a superior, they’re more likely to comply than to challenge the request on security grounds.
Spear phishing attacks are motivated by potential gain, but the specific goals can vary from an immediate theft of money, the gathering of information for further attacks, or the beginning of an advanced persistent threat against an organization.
Frequently attackers target a low-level employee and then island hop deeper into the network from the initial point of access . It’s believed that 2014’s attack against Sony probably started with spear phishing emails masquerading as communications from Apple.
To prevent spear phishing attacks, at the very least employees should be made aware that any request for sensitive data, no matter from whom it apparently originates, should be treated with extreme suspicion.
Training should not be limited to non-technical employees under the assumption that system administrators and developers know better. Many spear phishing attacks target system administrators because it is common for executives to request information like VPN credentials from the IT department.
Staff should be made aware that refusing to give out sensitive information will not hurt their career. In fact, such refusal, even when from an authentic source, should be praised.
It’s not enough to verify that the email address of a request for information is genuine. Sophisticated spear phishing attacks often attempt to take-over the email accounts of executives by hacking, social engineering, and identity theft. Emphasis should be put on verification of authenticity via a channel that’s less prone to being compromised than email or instant chat.
Company policy should clearly state that security is preferable to convenience, and that anyone giving out sensitive information to an unverified third-party will be in breach of security policies.
Spear phishing is especially pernicious because it’s often effective against companies that are otherwise well-protected. An intelligent criminal can entirely obviate the benefits of a secure cloud platform if they can get the information they need by simply asking for it.