Today, most individuals and organisations are familiar with phishing attacks and how they can impact financially and business operations. If phishing wasn’t enough of a worry, you are now expected to have further protection against spear phishing attacks. These refer to more malicious emails which are highly targeted at the victim, often containing personal details designed to persuade them.
As the name suggests, spear phishing is often used when a criminal targets an individual using a more personalised tactic. These attacks can be very effective because the perpetrator can use tailored language for each user. As end users learn to protect themselves better, cyber criminals enhance their phishing techniques to get the most out of their targets.
Spear phishing allows the criminal to personalise the attack in a particular way, it creates urgency in the user’s mind and forces the target to let their guard down. Imagine if your managing director emailed a few people, sending them an invite through Gmail, and the link in the email asks the user to sign in to Gmail to attend the meeting. This method has been used by criminals to hack into certain accounts; it also isn’t the type of email you just ignore…
The idea is the same as phishing, which involves using a malicious link to phish for confidential information.
According to the SANS Institude, 95% of all attacks on networks are the results of successful spear-phishing.
Why do cyber criminals prefer spear phishing to standard phishing attacks? They have proven to be more effective. The attackers use research, such as websites and LinkedIn, and social engineering to create customised emails that individuals are likelier to open and accept. The most common objective is to have staff transfer money into a third-party bank account. You’re probably thinking, well that’s stupid – but you’d be surprised how convincing spear phishing emails can be.
Spear-phishing methods are not a hack or a factor that can be blocked using technology. It relies on human nature to be successful and can only be prevented by creating user awareness and education.
The combination of technical and psychological factors makes spear phishing highly effective. Because spear phishing emails can look like normal business emails with normal business banter, spam detection systems find it difficult to recognise them as genuine emails.
Spear phishers take their time and spend weeks/months building up the reputation of IP addresses and email domains by sending legitimate traffic and emails for some time to ensure they avoid the blocking lists.
The success of spear phishing also comes down to the human element and social engineering which plays on how people think and act. Trust is a natural and helpful part of the human mind, it is necessary to form working relationships.
Phishers like to abuse this trust element. They take advantage of the fact that people are more likely to comply with orders from authorities and people they trust.
If you cannot recognise a spear-phishing attack, you may not realise that you’re losing data until it’s too late. If cyber-criminals focus on a particular person for a long time, they can gain access to critical data such as bank accounts and computer passwords.
Here are some useful tips to help you and your organisation: