In a digital age where cyber crime is a real threat, it's important to be armed with the latest information on how to protect your business online. This month, two of our cyber, privacy and resilience experts are here to shed some light on 'spear-phishing' which can affect both small and large organisations - basically anyone with information or dollars to lose are targets.
However, what makes it particularly threatening to SME businesses is that if you’re successfully spear-phished it could bring your business to its knees through the loss of critical information, customer confidence, and intellectual property. Here's what you need to know.
Who is the target?
The most common target is employees of an organisation. Spear phishing content is usually customised in order to increase the chances of a successful attack and exploitation. More elaborate attacks focus on employees who are in senior roles or have super-user privileges in key systems.
How does spear phishing work?
Firstly, for a would-be attacker to convince its victim that the emails they are sending are legitimate, the attacker would preferably understand the target’s privileges and ability to execute a desired transaction in the attacker’s favour. The would-be attacker may obtain this information by hacking into an organisation’s network or through easier measures, such as searching for information on websites and social networking sites, such as LinkedIn and Facebook for example. Any apparent preferences and interests of the victim would be extremely useful.
The attacker would then send emails which appear to be legitimate to the target. The content of the emails may offer rewards or request urgent sensitive information, such as passwords, access codes, and user IDs.
Some common forms of spear phishing are:
- Emails sent by attackers containing links to malicious websites which may be controlled by the attackers to record user activity (requesting the victim to login);
- Emails requesting authentication information, such as user names and passwords necessary for repairing fake issues;
- Emails with harmful attachments which can compromise a user’s system by infecting it with viruses and malicious code.
Once the attackers have your sensitive information, they would use this to access your systems, communicate with people who trust you, initiate banking transactions or even create new identities using your information.
How can I defend myself against spear phishing attacks?
Awareness – educating staff on the threat of spear phishing and what to look out for can provide them with the knowledge to detect potential spear phishing attacks. Awareness of these threats can significantly reduce the risk of a staff member becoming a victim to this attack. Staff should also exercise good email practices, including:
- Never revealing sensitive information (e.g. personal, health, or financial information) in response to an email, regardless of who it is from
- Never clicking on links in emails which people may ask for personal or financial information
- Reporting suspect emails which may be spear phishing attempts against the organisation
Email Filtering – configuring email applications with rules to prevent spam emails is a form of defence which can potentially stop spear phishing attacks. Filtering can also ensure that mail from known sources originates from those sources.
Encryption – if only the sender and the individual know the shared secret key, then it is difficult for anyone to impersonate either party.
Anti-Spam Defences – Often phishing messages can originate from compromised computers or botnets. Anti-spam software and devices can identify the source of a compromised mail server. Having multiple devices or services for identifying spam improves the chances of detecting spear phishing.
Patch and Update Security Software – most operating systems and browser updates include security patches. An individuals’ name and email address may be all it takes for a hacker to exploit a security vulnerability into your system. Security software should always remain up to date.
It’s important to remember: Be careful with how much personal information you post online - you never know who might use it against you!
Please do not hesitate to contact Faris Azimullah or Anu Nayar if you would like to discuss the contents of this article, or if you would like more information about how to protect yourself from becoming a victim of spear phishing.