How to Protect Yourself from a Spear Phishing Attack
Although we usually focus on personal cybersecurity, today we would like to draw your attention to a type of cybersecurity threat that mostly targets businesses and corporations. You probably know quite a lot about phishing at this point, and we have also covered the ways you can protect yourself from phishing scams. In this post, however, we would like to talk about spear phishing, and what such attacks could entail for businesses. We will discuss the essence of spear phishing, the reasons these types of cyber attacks are considered one of the top cyber threats these days, and what businesses should do to avoid them.
What is Spear Phishing?
When we compare fishing and spear fishing, we can instinctively tell that the former activity is based on the assumption that sooner or later a fish will take the bait. The latter activity is clearly more focused and targeted. You do not wait for the fish to take the bait, you spear it.
From this analogy, we can get the main impression of what spear phishing is. This criminal activity targets specific users with customized messages. While the usual phishing messages are often generic, spear phishing attacks make use of the individual information about the victim someone can find on their social media profiles or via googling. So when a customized message reaches the victim, the person is more likely to respond. In other words, they will most definitely take the bait.
Forbes has reported that 91% of the targeted security breaches in the corporate world usually start with spear phishing emails. The success rate is high because the criminals behind these messages know the user's routine quite well. For example, if an employee usually works with PDF or Word documents, and if they have to check reports and accounts, they are more likely to engage with the email content that resembles their usual routine.
What's more, regular employees are not the only ones targeted in these scams. Sometimes even C-level executives receive such messages. Cybersecurity specialists call such attacks “whaling emails” because of the status of the person that is targeted. Therefore, we can see why spear phishing is considered one of the top cybersecurity threats in 2018.
We can also add that back in 2015; the Ponemon Institute issued a report that claimed the cost of one successful spear phishing attack was around $300,000. Perhaps that may not seem much for multi-billion dollar corporations, but it does not mean that one should ignore such attacks either. Not to mention, phishing happens to be back on top of the main cyber scam trends.
How to Avoid Spear Phishing
The threat of these scams is real. Even if you haven't felt it first-hand, we can see that the matter is urgent, considering that the Federal Trade Commission has recently shared security tips regarding spear phishing on their blog. Depending on the type of attack (whether it is an email or a phone call), there might be several ways to protect yourself. We will cover several protection methods below, but we would also like to emphasize the importance of education. If you want your company or corporation to be protected against such scams, you have to invest in your employees' cybersecurity education. No antispyware program or firewall will be more efficient than an educated employee.
1. Always double-check
Since spear-phishing involves custom attacks, it is important to check whether the person on the other end really has the right to be in possession of the personal information that is used in the message (or a phone-call). In other words, double-check whether the message is legitimate before interacting with it. If you find that a phone-call or an email requests you to share sensitive personal or corporate information, do not respond at all.
2. Protect Your Privacy
Spear phishing attacks are custom-tailored because the criminals manage to piece together a lot of personal information that they find across the web. Therefore, users have to be careful about sharing their personal details online. Avoid over-sharing on your social media accounts. If possible, make your accounts private (lock them). It is also a good idea to refrain from sharing a lot of work-related information online (it's best to keep those tweets to yourself, really).
3. Do Not Send Sensitive Information via Email
Passwords, IDs, banking accounts, login information, corporate security numbers, and other information should not be shared via phone-calls or emails. You probably know it because it must've been included in one of the clauses in your contract. But just in case you have forgotten that, please be sure to keep that information to yourself if anyone asks to share it. In fact, you should notify your superior or any other responsible person that you have received such requests in the first place.
4. Employ Multi-Factor Authentication
For businesses, multi-factor authentication is not just about logins and passwords. This layer of security can be used to make sure that anyone who accesses sensitive data actually has a right to do it. Since MFA works with at least two elements of authentication, it makes it harder for a third party to breach corporate security. This type of authentication is especially important in the light of the possibility that employees could be recycling their passwords all the time. Needless to say, using the same passwords all over again is a serious security issue.
If you find it challenging to come up with new passwords every single time, you can make use of a password generator (like the one offered by Cyclonis Password Manager) to create strong passwords, and you can even store them in the said password manager because it provides you with the Personal Notes feature. Strong passwords and MFA would definitely make it harder for cyber criminals to reach your data.
5. Cybersecurity As an Objective
For most of the executives, cybersecurity is just one of the many lines in their company's agenda. However, if your company takes fire drills seriously, you should take cybersecurity seriously too. And it's not just about the spear phishing attacks. Having an actual cybersecurity manual or enforcing a cybersecurity policy within the company would most definitely decrease the probability of a cyber attack.
The bottom line is that education is the key. It might take a while until users realize the potential threats behind urgent messages that seemingly come out of nowhere. And it is very likely that we won't be able to exterminate phishing attacks 100%, but at least we can all work towards minimizing the infection rate as much as possible.