Best Defense Against Spear Phishing

The real dangers of spear-phishing attacks

Spear-phishing attacks are delivered via a standard approach: email. They appear as ordinary emails. The body of the email may contain a link or an attachment. The immediate objective: to get you give up a little bit about yourself—your personally identifiable information (PII). Spear phishing is targeted. The attackers did their research, usually through social engineering. They might already know your name or your hometown, your bank, or your place of employment—information easily accessed via social media profiles and postings. That bit of personalized information adds a lot of credibility to the email. Spear-phishing emails work because they’re believable. People open 3% of their spam and 70% of spear-phishing attempts. And 50% of those who open the spear-phishing emails click on the links within the email—compared to 5% for mass mailings—and they click on those links within an hour of receipt. A campaign of 10 emails has a 90% chance of snaring its target.

If you do not recognize a spear-phishing attack, you may not realize you are losing data until it’s too late. By focusing on a particular person, cyber attackers can eventually gain direct or indirect access to critical data, including bank accounts, computer system passwords, work credentials and security clearances. Spear phishing is a precursor to a far more dangerous advanced attack.

Spear phishing: the who and the why

Anyone can be the target of a spear-phishing attack, whether they accidentally click on an unsolicited survey response or get bamboozled by a fake alert from their bank. While an attacker may not be interested in you specifically, you can be their foothold into a secure computer system that may contain the PII of customers, executives and other personnel as well as critical data, such as intellectual property and financials. In that sense, we are all critical to the safety of our own PII and the business systems we are part of. If you’re in finance, you have access to critical company data. If you’re in sales, you have access to lists of customers and prospects. If you’re in facilities, you may have access to onsite service-call schedules. Everyone has value.

Spear-phishing attacks are not trivial or conducted by random hackers. They are targeted at a specific person, often times by a specific group. Many publicly documented advanced persistent threat (APT) attack groups, including Operation Aurora and the recently publicized FIN4 group, used spear-phishing attacks to achieve their goals.

How to stop spear-phishing attacks

To stop spear-phishing attacks security teams must first train users to recognize, avoid and report suspicious emails—it is important for every employee to recognize that their roles grant them access to different data, the currency of the information economy. Second, security teams must implement, maintain and update security technology and processes to prevent, detect and respond to ever-evolving spear-phishing threats. Finally, security teams must strive to stay ahead of attackers by investing in actively updated threat intelligence and expertise to meet their needs. One thing is clear: You cannot discover a new spear-phishing attack by looking at it in isolation. A spear-phishing attempt is often part of a blended attack that uses a combination of email, internet browsing and file shares.

These are the questions that security teams must be able to answer: 

• Which attack groups are likely to use spear phishing?
• How do attackers choose and approach their targets?
• What are their ultimate goals?
• What specific steps can we take to prevent or block malicious attacks resulting from spear-phishing emails?
• Are we able to detect unknown threats and spear-phishing attacks?