In a recent CCT article I pointed out that online phishing attacks are becoming more sophisticated even as they pursue two basic goals—getting people to hand over personal data or placing malware on personal devices. In pursuit of even more specific goals, spear phishing has become a common tactic.
Spear phishing takes standard phishing to a higher level. The emails appear to be from a trusted source and are sent to targeted individuals with the aim of getting recipients to provide confidential data. Spear phishing can target consumers, but businesses are the most common target.
Any organization, large or small, that has useful data about customers or clients is a tempting target. Organizations that supply or partner with service providers or other large companies can be targets, even if they hold little valuable data themselves.
Spear phishing is done in one of three basic ways:
Most businesses already have some types of protection in place, but vigilance is required to ensure they are activated and functioning properly. The antivirus protection in basic security software is a first line of defense. So is the email authentication that is part of email software packages. If malware does get through the original defense, it is likely to replicate itself quickly and infect computers throughout the business network and perhaps beyond, hence the need for vigilance.
The basic security packages are designed to protect computers that remain connected to the network. Todays business networks include many other devices—laptops, notebooks and smart phones, for example—that can connect to the network. They can quickly be infected by replicating malware. Endpoint security solutions are required to successfully manage threats to networks that include mobile devices. While there are DIY alternatives, they may be beyond the skill set of many business owners. There are many reputable firms that sell endpoint security solutions and they have informative explanations on their websites and blogs. At the end of the day, however, they are all trying to sell something. Look for guidance like this article that provides information as well as software reviews.
In the end, remember that no software can do its job if employees are not security conscious. This is a more detailed set of indicators of phishing emails, and it is worth reviewing with all employees.