Don’t Get Hooked by Spear Phishing Attacks

Phishing attacks
have been around for a long time in IT.  Designed to steal your credentials or
trick you into installing malicious software, they have persisted in the IT
world precisely because they have been so devastatingly simple and effective. 
Today, a more modern and more effective version of the same attack is commonly
used.

A typical phishing
attack involves an attacker sending out a malicious email to hundreds of
thousands, if not millions of users.  The attacker’s email is designed to look
like it comes from a bank, financial service, or even the tax office. Often
aiming to trick you into logging in to a fake online service, a phishing attack
captures the login details you enter so an attacker may use them to enter the
genuine service later.

By sending out
tens of thousands of emails at a time, attackers can guarantee that even if
only one half of one percent of people fall for it, there is a lot of profit to
be made by draining accounts.  Spear phishing is a more modern, more
sophisticated, and far more dangerous form of the attack.  It’s typically
targeted at businesses and their staff.

A Convincing, Dangerous Attack

While a
traditional phishing attack throws out a broad net in the hope of capturing as
many credentials as possible, spear phishing is targeted and precise.  The
attack is aimed towards convincing a single business, department, or individual
that a fraudulent email or website is genuine.

The attacker
focuses on building a relationship and establishing trust with the target.  By
building trust and convincing the target that they are who they are pretending
to be, the user is more likely to open attachments, follow links, or provide
sensitive details.

Consider how many
times you have followed a link or opened an attachment just because it has come
from a contact you have trusted before.

A Trusted E-mail

The malicious
email can appear to come from a vendor you deal with regularly.  It may even
look like an invoice you are expecting to receive.  Often attackers can simply
substitute the vendors’ banking details for their own, hoping the target will
not notice the difference.

Such an attack is
very difficult to detect.  It takes a keen eye, strong working knowledge, and
constant awareness to keep your company protected.  Even a single small mistake
by an unaware member of staff can compromise your business accounts.

Defending Your Business

The key to
stopping a spear phishing attack is education.  Learning attack techniques, and
how to protect against them is the single biggest thing you can do to enhance
business security.

Whenever you deal
with a vendor in a business transaction, you should always consider important
questions before proceeding.  Are you expecting this email?  Is the vendor
attempting to rush you into a quick decision or transaction?  Have you checked
all the details are correct and as you expected?  Sometimes a simple query to
the vendor can protect you against worst-case scenarios.

In many cases, a
phishing attack can be halted in its tracks with a strong IT security package. 
Web filtering prevents malicious emails and links from entering the network,
shutting attacks down before any damage can be done.

Good Security Practice

As with many types
of IT threat, good security practices help mitigate damage.  Locking down
security to ensure employees only access the systems they need helps to prevent
damage spreading across the network.

Enforcing unique
and strong passwords prevents leaked credentials from affecting systems related
to the one that has been compromised.  Getting employees set up with a password
manager and good security policies can do the world of good to boost your
security to the level it needs to be.

Give us a call at 01297 306356 to audit your security practices.  It could be the difference that secures your firm against sophisticated spear phishing attacks.

Posted in Uncategorised