Spear phishing: Even the name sounds violent and frightening. Which makes sense, because spear phishing is one of the biggest cyber security threats facing organizations today.
Spear phishing emails — in which attackers try to gain access to a computer through an email targeted at a specific victim — make up an estimated 91 percent of cyber attacks. This number is not surprising, given that spear phishing is more successful than any other form of attack.
Where a phishing email is a malicious email disguised to look like a message from a legitimate source (like a bank, a package shipping service, or your HR department), a spear phishing email, as the name implies, is more targeted and includes personalized information about the recipient. A spear phishing email could be disguised to look like a message from your actual bank, with specific content such as your full name, partial or full account numbers, and company logos. Each of these “trust tokens” make the email appear more legit — and this, in turn, drives open and click rates.
Consider, for instance, that our 2015 State of the Phish report showed that more than 10% of people click on malicious links in a phishing email. When the target’s last name is used, that number jumps to 18 percent. Why?
Most of us are inundated with information, so we’ve become conditioned to filter out “boilerplate fluff,” focusing only on messages that “matter.” Marketers know they are competing for your attention, so they do as much as they can to grab your attention. They also make efforts to convey legitimacy. Take, for example, a mortgage refinance offer that might show up in your mailbox. Should you open it, you’d be likely find your current lender’s name and even your outstanding balance.
Fraudsters and hackers operate the same way when crafting spear phishing messages. In essence, these emails are highly effective malicious marketing. The attacker wants to grab your attention, gain your trust, evoke an emotion, and present a call to action that achieves an objective — namely, access to sensitive (and valuable) data and systems like your social security number, your password, an organizational database, etc.
The Consequences of Being Phished
Employees who fall victim to spear phishing attacks put entire organizations at risk. The malicious links and attachments hidden in spear phishing emails allow criminals to plant malware in a user’s machine, and, from there, gain access to an organization’s banking credentials, steal intellectual property, or just wreak havoc on the network for “fun.” Even if attackers don’t end up stealing money or IP from a company, it’s not “no harm, no foul.” Half of the IT security managers we surveyed lamented the wasted time involved in getting an employee’s computer back up and running after a phishing attack.
But what, you might wonder, do the real-world implications of spear phishing attacks amount to? Consider these: According to Red Condor’s Phishing for Disaster report, in early 2010, the owner of a California escrow firm opened a spear phishing email that appeared to come from UPS. When she clicked on an attachment, her computer silently installed a backdoor that criminals subsequently used to steal $465,000 from the firm’s bank account. In February of this year, scammers convinced an Omaha company to send $17.2 million to a bank in China after sending fake spear phishing emails to the company’s controller the appeared to have been sent by the CEO. And last year, just as the Sony hack that leaked The Interview was all over the news, spear phishers also managed to hack into a steel plant in Germany and cause massive physical damage.
How to Protect Yourself
So what can organizations do to protect themselves? Start by ensuring that all email goes through a good spam filter, which will catch the most obvious phishing requests (as well as emails from far-off princes with millions of dollars to wire your way).
In addition to spam filters, organizations can install advanced malware detection software that identifies links and attachments that are likely malicious, even ones that antivirus software hasn’t seen before. It’s important to remember, though, that even though this kind of software can detect sophisticated attacks, criminals are getting more sophisticated by the day. If there is one thing that the last few years have demonstrated, it’s that technology, no matter how advanced, isn’t the complete solution.
IT departments should also make sure that all computers on their networks have up-to-date software, since cyber criminals seek to exploit weaknesses in outdated software following their attacks. Our 2015 State of the Phish survey showed that Flash, Java, and Silverlight are the most commonly outdated plugins. A full 40 percent of users had an outdated version of Flash on their computers, while 34 percent of users had outdated Java, and 32 percent (and growing) had an outdated version of Silverlight.
But even with all the technical safeguards there are, you must think beyond hardware and software to find the best defense against spear phishing. Employees need to be trained to realize that just because an email makes it through to their inboxes doesn’t automatically mean the message is safe. Just as legitimate emails can be caught by a filter, well-crafted, malicious messages will often pass through to users.
According to information security research firm NSS Labs, user education and training is the most effective defense against spear phishing. The most effective education programs includes simulated phishing emails, interactive training modules, and reinforcement materials like email reminders, posters, and company newsletters. In particular, simulated phishing emails can help employees learn what to look for by creating a visual interpretation of this dangerous threat vector. We strongly suggest communicating on the spot with employees who fall for a simulated attack but providing an immediate (but gentle) reminder about email best practices. Platforms like ours allow administrators to automatically assign training to susceptible users, and we feel it’s critical that IT managers absolutely connect with employees who need extra training.
In the meantime, though, you might be wondering about some email best practices you can share with your users today. We recommend you instruct your employees to ask themselves the following questions when addressing their inboxes:
- Do you really know who is sending the email? Do you recognize the sender and their email address?
- Is the tone consistent with what you would expect from the sender?
- Is the sender asking you to open an attachment or access a website?
- Does the message contain a “call to action” or convey a sense of urgency?
- Is the domain in the URL or file name of the attachment related to the content of the message?
According to NSS Labs, there are two further practices that, if instilled in your employees, can prevent many phishing attacks:
- Never give out your password via email. (On a side note, IT departments should try not to ask for employee passwords when troubleshooting an issue.)
- Don’t log onto a website via a link sent to you in an email. For example, a user who receives a message from LinkedIn should open a new web browser window, navigate to LinkedIn, and log in, rather than clicking on the email link. If the email is legitimate, the notification will be in the LinkedIn notification system.
At Wombat, we’ve crafted and sent countless simulated phishing attacks and developed effective interactive training modules that can help employees learn to spot fraudulent emails before they click. We can help your organization, too. Contact us at 412-621-1484 or firstname.lastname@example.org to start a conversation about security awareness training.
Note: This article originated on the ThreatSim® blog. ThreatSim was acquired by Wombat Security in October 2015.