Most people are familiar with phishing, an email-based social engineering attack whereby attackers attempt to fool the recipient into taking an action. Usually attackers are seeking money or personal information, with limited success. However a new, more effective version of this attack has recently evolved. This attack, known in security circles as spear phishing, uses a more targeted approach.
Traditional phishing uses a generic email with wording such as “Dear customer” or “your recent purchase.” Spear phishing, on the other hand, uses personal information to make the scam seem more legitimate. The email will often include the recipient’s first name along with some personal information. For example, it might refer to a recent purchase they actually made or something they recently did, such as attend a meeting.
Even though fewer emails are sent, spear phishing is much more effective than regular phishing. In a spear phishing attack, emails are usually sent to about 1,000 people, with 2 of them falling victim, according to the Cisco Systems report “Email Attacks: This Time It’s Personal.” In contrast, a phishing attack email is usually sent to about 1 million people, with 8 people falling victim. In other words, there’s 1 victim for every 500 spear phishing emails sent compared to 1 victim for every 125,000 phishing emails sent.
To help your company avoid becoming a victim, consider a two-pronged approach. First, try to prevent as many spear phishing attacks as you can from reaching your employees. Keep your email filtering and anti-malware tools up-to-date and make sure potentially sensitive information, such as employee email addresses, is not publicly available.
Second, educate employees about the targeted nature of spear phishing. Inform them of the risks of clicking an email link or opening an email attachment, even if the information seems personalized. If something looks fishy, urge them contact the IT department.
These tips are a starting point for companies looking to protect against spear phishing. However, the individual steps will vary depending on your company’s needs. Contact us to learn more about following these practices or addressing similar security issues.