Cybercriminals are continually honing their skills to find ways to get in your inbox and get you to unknowingly click on a malicious link.
Enter spear phishing.
Similar to phishing, where malicious actors attempt to trick their victims into sharing private data and credentials through blanket attempts to databases, spear phishing is after the same information – although, it goes about it in a more personal way.
Cybercriminals looking for spear-phishing victims begin by trying to obtain as much personal information about potential victims as possible. By doing their research, these cybercriminals can then craft individual, personalized emails making them look more credible, and increasing the likelihood of catching the victim.
Individualized Attacks...
These more sophisticated techniques target a specific individual or group with some sort of “individualized” details in the message. Because of the trust factor of personal emails, it is more difficult for recipients to identify spear phishing attacks.
And while these attacks are duping users, it is even more concerning that traditional filtering techniques struggle to correctly flag spear phishing attempts.
To help protect themselves from falling victim to these types of attempt, organizations should have an email security solution that automatically detects and blocks advanced targeted spear phishing attempts. Organizations are also strongly advised to secure their network with a multi-layered approach – combining email and web security solutions with an endpoint AV protection layer.
Organizations should also consider conducting regular IT security audits to get a clear picture of the status of the network, become more aware of the security holes and learn how to best deal with those threats.
Spear Phishing: 4 Steps to Protection
Here are some best practices to help keep your employees safe from a spear phishing attack:
1. Create strong, complex passwords: Passwords should be between 8 and 12 characters with a combination of upper and lowercase letters, numbers and symbols. Never use the same password for different accounts. A password manager can also help by managing multiple accounts and suggest strong password options.
2. Careful clicking: Only click web links within emails you know to be authentic. If an organization, such as your bank, asks you to perform any activity that involves clicking links and entering credentials, either launch your browser and go directly to the bank’s site or call them to double check on it. It’s best to always assume the worst when it comes to following links.
3. Employee Training: Employees are typically the last line of defense when it comes to protecting an organization’s network against a malicious attack. By implementing training on security awareness and social engineering techniques, users will be equipped to make better judgments about the content they download from the internet, receive through communications and access through the Web.
4. Google yourself: Be cautious when sharing data on social networks and limit what types of personal information you post on the internet: Review your online profiles and ask yourself how much personal information is available for cyber criminals to view? If there is anything that you do not want a potential scammer to see, do not post it – you should also consider reviewing your privacy settings on social media sites.
Bonus - Get This: Want to know more about spear phishing? Download AppRiver’s free white paper, Spear Phishing: Understand, Analyze and Prevent.
Troy Gill, GPEN, is a senior security analyst at AppRiver. Read more AppRiver blogs here.
