Spear Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using bait in an attempt to catch a victim. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion.
Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site, the only difference being the URL of the website in concern. Communications purporting to be from social websites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware.
Phishing is an example of social engineering techniques used to deceive users and exploits weaknesses in current web security. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Cyber Defense Magazine states in April 2018, IT Governance reported that 75% of organizations have experienced “at least one” phishing attack. While most businesses are used to dealing with spam—it often seems like getting spam is a rite of passage for anyone with an inbox—the types employees are used to range from random ads and “last chance” sales to cold emails from strangers they don’t know and foreign bank transfer requests.
The magazine has designed some steps to protect the organization from Spear phishing; the points are as mentioned below:
- Install the latest security patches for your OS
Check your operating system frequently for new security patches. While OS patches aren’t always explicitly created for phishing threats, they will help you avoid vulnerabilities in your organization that could give a successful phishing attack access to critical company data.
For Windows users: Microsoft releases updates to their OS often, especially if they’ve identified a potential security concern and want to protect their users against it. Versions like Windows XP are also updated on occasion if there’s enough risk to warrant it—good news for those who still use unsupported versions.
For macOS, Linux, AIX, and VIOS users: These operating systems also receive frequent patches to ensure the best protection against potential gaps in security. Updates are released as industries predict new cyber attacks, so make sure your customer-facing and internal systems are always current with the latest security patches for your particular OS.
- Encrypt sensitive company information
Use strong file encryption practices in your organization to better safeguard company data from prying eyes. Along with a reliable secure file transfer solution, encryption will protect the files you send to your databases, cloud environments, trading partners, and customers, making it difficult for hackers to decrypt any information they get their hands on.
Here are a few examples of things you should encrypt. Successful encryption will limit the scope of damage a phishing attack could have across your business.
Passwords and security questions
Internet activity (by using a VPN or masked IP address)
External storage like USB drives or hard drives
Files like business contracts, audit reports, and tax documents
A managed file transfer solution can guard your data in transit and at rest using modern encryption technologies. Good MFT software helps ensure that you stay up-to-date with the latest encryption standards while making your file transfers simple to track, manage, and audit.
- 3. Protect your accounts with multi-factor authentication
Organizations around the globe have implemented multi-factor authentication (MFA) as part of their cybersecurity framework. Some companies let customers choose if they want to enable MFA on their accounts. Others, especially those in industries that process personal data, require clients to enter their password, their pin, and mobile code to view or manage their information.
If you haven’t already: Consider establishing multi-factor authentication across your accounts for an extra layer of protection.
Multi-factor authentication helps to ensure that anyone who accesses your private data has been approved and verified by your servers. It works by requiring at least two pieces of identification (say a username/password combo and a randomly generated token) that complicates the ability for hackers to compromise your systems—even if they have half the details needed to get in.
If we lived in a perfect world, passwords and security questions would be impenetrable. But in reality, employees often use a small variety of passwords across multiple websites and overshare personal data on social media, compromising the integrity of their logins and security questions.
Our suggestion? Implement MFA at work and home. It will give you an extra layer of security against spear phishing and other types of attacks, no matter where you are or where you go.
- When you see suspicious email activity, ask first
If you receive a suspicious email from someone you trust, check that it came from the sender before you interact with it. Stop by their office, give them a call, or send them a separate email and ask if it was indeed a request from them.
It takes two minutes to establish whether an email should be trusted. While it might interrupt a projector packed schedule, the detour to their office is worth it. Hopefully, the email is legitimate, and you can respond with ease. But if it’s not, if the email is a carefully-concealed phishing email, your IT team can now warn others in the organization of a potential cyber attack.
Remember, always alert IT of suspicious email activity. If you received something off-putting or strange, chances are other employees have too.
Spear phishing attacks happen every day. They’re a cybersecurity concern organizations should be aware of and take measures against. But they don’t have to be a problem if you take the time to update your operating systems, encrypt your file transfers, secure your accounts, and report strange emails to your IT department.
The above points are posted initially in Cyber Defense Magazine. Click here to view the post.