When it comes to protecting your business from cyber security threats, one of the hardest elements to manage is often the human factor. You can spend all the money in the world on the latest antimalware and antivirus software, intrusion detection and prevention systems, and advanced firewalls, but all it takes is one person to send an email to the wrong person, or misplace a password they've written down, and all that hard work could be undone.
Hackers are well aware of this, which is why social engineering attacks are one of the most popular ways of gaining access to networks or sensitive information. You can think of protecting your networks the same way you protect your building. Criminals who want to break in could spend their time studying blueprints for a weak spot or trying to pick the locks, or they could hang around the back entrance wearing a hi-vis jacket with a clipboard in their hand, and wait for someone to hold the door open for them.
It's much the same in the virtual world, and one of the most popular attack avenues for hackers is the use of phishing, or increasingly, it's more targeted cousin: spear phishing.
Often, this consists of a link to a fake website enticing users to enter their login details, which hackers can then reuse elsewhere to gain entry. However, it could even be set up to trick employees into responding directly with sensitive data, perhaps by posing as a colleague claiming to need certain information for a meeting.
Spear phishing has become a major problem for businesses over the past few years, and some of the largest and most costly data breaches have been traced back to the technique.
For example, the 2015 attack on health insurance provider Anthem, which exposed the data of around 79 million people and cost the firm $16 million in settlements, was the result of a spear phishing attack aimed at one of the firm's subsidiaries. According to the Department of Health and Human Services’ Office for Civil Rights, at least one employee responded to the malicious email, thereby opening the door to further attacks.
Therefore, it's clear that understanding what spear phishing is and how to defend against it is essential if enterprises large and small are to protect their previous data.
Phishing vs spear phishing - what's the difference?
Phishing has been around almost as long as the web, and looks to lure unsuspecting users into handing over sensitive details. Its name, replacing the letter 'f' with 'ph', links it to 'phreaking', a slang term for experimenting with telecoms networks.
Taking the fishing analogy one step further, spear phishing is a much more targeted approach than traditional methods. If phishing is the equivalent of throwing out a net and seeing what you drag up, spear phishing involves looking for a specific target, waiting until they're in range, and putting a spear directly through them. It's clinical, calculated, and offers a much higher success rate for scammers.
In other words, standard phishing emails tend to be impersonal and irrelevant to most users. They're designed to be sent to as many people as possible, in the hope that only a couple are careless or gullible enough to respond. Spear phishing, on the other hand, appears aimed directly at the user - even if hackers are sending out similar emails to everyone in the company - and come from sources they already know, whether this is colleagues, friends or trusted companies.
Why is spear phishing so effective?
There are several reasons why spear phishing can be so effective. One of the most common is because people are naturally less wary when dealing with people they believe they know. If you're regularly sending and receiving emails from a colleague, you're not likely to be looking over every one with the same suspicious eye you would if it's a contact you don't recognize.
These messages take advantage of the fact users will feel familiar with the content of the emails, and they're much more sophisticated than in the past. For instance, a message from an unknown sender saying 'You've won a free iPad!!! Click here to collect!!!' is only likely to elicit rolled eyes and a swift press of the 'report spam' button (assuming it gets through filters in the first place). But what about a message from a courier service, addressed specifically to you, saying 'Your package could not be delivered. Log in here to arrange a new date'?
Even if the sender was just guessing, if you actually are expecting something, there’s a higher chance you'll give it a second look. And the same is true for many work-related emails. The IT department wants you to log in to a portal to change your password? That might seem highly plausible.
Another factor is the appearance of authority. Many personalized spear phishing attempts may appear to come from a user's boss - or, for an even more likely return, their boss' boss. Nobody wants to annoy people who are high up in the company, so if a relatively junior employee gets a message from the CEO asking them to send over key payroll data urgently, they're likely to do so without question - which is exactly what happened at Snapchat a couple of years ago.
How to prevent spear phishing
While effective anti-spam tools can go some way towards preventing spear phishing, by spotting harmful emails before they ever reach employees' inboxes, this is never going to be a 100% effective solution. Therefore, the only real way to guard against this type of attack is through user education, and ensuring your employees are aware of the threat and know what to do should they encounter suspicious emails.
This means a comprehensive training program that emphasizes the need to be wary of all incoming emails, instructions on what signs to look for that may suggest a message is not legitimate, and how to report anything that looks untrustworthy. But this can present its own problems. After all, how do you know if employees are actually putting this advice into practice?
Spear phishing your own employees
The best way to check if your training is sinking in is to run a test of your own. By sending out spear phishing messages to your own employees, you can see exactly who's following procedures and who's still falling for the fake messages.
Let's use a real-world test as an example. In this case, a company sent a fake email to all its users, which contained a link requesting their company username and password. The email was designed to have the appearance of a legitimate company email - using the brand's logo and standard email disclaimer - and appeared to have originated from an internal address everyone would be familiar with.
To do this, it involved setting up a system that originated from outside the company, but spoofed the firm's internal email system. However, there were a couple of telltale signs users should have been aware of.
For instance, the 'click here' link in the message actually led to an external site, which users would have been able to see without clicking if they hovered over the link. There were also a couple of typos in the link, and if users did follow it, it would take them to an unbranded login page that shouldn’t have been familiar.
By tracking who reports the attempt, who just ignores the email, who clicks the link but proceeds no further, and who actually falls for it hook, line and sinker, IT departments can see whether their messages are getting through and where to focus their education efforts.
Armed with this information, businesses can improve their defenses and give employees better, more relevant advice on what they need to do. Here are some top tips taken from the real-world test above that managers should share with their employees:
- Be aware of urgent or threatening language.
- Don’t rely on the display name or from address.
- Check for improper spelling and grammar, or formatting issues.
- Look, but don’t click. Hovering the cursor over any hyperlinks will reveal the true URL.
- Never give out personal or confidential company information (including your password).
- Never open suspicious attachments, especially from unknown addresses.
- If in any doubt at all, report to IT. They will quickly be able to confirm if an email is genuine.
- If a user does mistakenly follow a link, open an attachment, or enter their credentials, report it to IT immediately. Failing to do so may lead to a serious breach of security.