Phishing is a social engineering tactic used by hackers to gain access to a network through an unsuspecting email click or attachment download. Since 91% of breaches in 2017 began with an email, you can bet that email phishing is toward the top of your IT department’s list of security threats.
If phishing is feared, then it’s safe to say that spear phishing is abhorred. Spear phishing is essentially well-researched phishing.
Where phishing casts a wide net in the hunt for an unsuspecting bite (like this UPS spoof, for example), spear phishing targets specific individuals with information that only they and their close colleagues should know.
Spear phishing is hated by IT professionals—and anyone in charge of protecting electronic data—because the victims of spear phishing attacks are usually high-value individuals (in the hackers’ eyes), with plenty of permissions and access to client data or company bank accounts. When a high value individual clicks on a phishing email, everything that person has access to could be compromised.
Spear Phishing Devastation
Way back in 2011, spear phishing was used in a coordinated attack on hundreds of security companies and government entities around the world. Network security company RSA fell victim to the spear phishing email attack, which, in RSA’s case was sent to only four people at the company with the subject line: 2011 Recruitment plan.
One person retrieved the email from their junk folder and downloaded the attachment “2011 Recruitment plan.xls.” The attachment installed a backdoor onto the recipient’s computer, giving the hacker all-hours access to the company’s network. The results? RSA’s two-factor authentication code-producing system was compromised, putting hundreds of clients at risk until RSA re-issued their code with a new encryption key.
The RSA hack was a foreshadow to the spear phishing attacks that occur all the time in 2018. Sadly, many go unrecognized because companies are struggling to stay in step with the latest cybersecurity recommendations.
What Is Spear Phishing? [Infographic]
Here’s a visual snapshot of spear phishing. It’s not hard to imagine how quickly a company can go from secure to compromised when spear phishing is involved.
Spear phish·ing noun: a customized phishing attack on specific employees at a company, sent from someone masquerading as a known or trusted sender in order to trick the victim into revealing confidential information, allowing account access, and/or unknowingly installing malware.
The Future of Spear Phishing & Spear Phishing Defense
Spear phishing will increasingly be used to target individuals at smaller companies. For spear phishing to “work,” the company must lack the ability to catch network intrusions or odd user behavior—twosecurity monitoring services most often implemented by enterprises or companies subject to compliance regulations.
Many small to midsize businesses that aren’t beholden to a higher authority report that they do not have any IT security systems in place that are more advanced than firewall and anti-malware.
Spear phishing may also begin to use Artificial Intelligence (AI) to scrape the internet for company data and even to write the emails, which will greatly increase the rate that spear phishing messages can be sent, since it would cut down on research time.
Simulated phishing and security awareness training will continue to be a front-line of defense against spear phishing; however, a 0% click-thru-rate is unlikely to happen for long.
After a click or download, educated employees are more likely to realize what they’ve done and report the event so your IT security team can address it quickly. But if they don’t, endpoint monitoring and network monitoring, whether outsourced, co-managed, or performed in-house, will set up a perimeter around your normal user behavior and network traffic.
To learn more about spear phishing and how your company can be prepared to face attacks, contact us.