We’ve all heard of phishing and have some awareness about how it poses a threat to our personal security, but have you come across a more sophisticated version called Spear Phishing which threatens our businesses. Spear Phishing attacks are increasing so if you don’t want your business sunk by this threat then read on to learn more….
Cyber security attacks are shifting towards employees
Before we venture into the world of phishing, recent research is indicating that the number of security incidents attributed to employees and company insiders is growing whereas there is a slight drop in the number of incidents from hackers, competitors and other outsiders.
As technical security controls have improved, it is becoming more difficult for hackers to penetrate corporate systems and the risk/reward of a technical attack are dwindling. Criminals are now shifting their attention to the staff, contractors and consultants who have inside and authorised access to valuable internal systems, data and money.
It is this human attack surface that is the target for spear phishing attacks.
How spear phishing differs from phishing
Phishing attacks are primarily psychological attacks in which the unwary are lured by an email to log on to a website that appears genuine but is actually designed to steal passwords, other personal identification information (PII) or defraud the victim. These social engineering attacks are generally broadcast to many potential victims and are likely to be derived from email addresses leaked to the wild in large company data breaches.
Instead of finding victims by throwing a metaphorical hand grenade into a river and hoping for the best (Phishing) as it’s name suggests, spear phishing is a far more aimed threat in which a certain individual in the organisation is convincingly targeted in order to fall victim to fraud or identity theft.
In general spear phishing is around twice as effective for criminals as phishing because they have to perform extensive reconnaissance on the potential victim to increase the
of them receiving the attack email, opening it and then trusting the source of that email sufficiently to click on the malicious links that it contains.
The role of open source intelligence (OSINT)
Know thy enemy, or in this case, know thy victim. This is where freely available information about companies and employees plays a vital role in the reconnaissance phase of a social engineering attack such as spear phishing.
A determined attacker has huge amounts of open source information available to them which is willingly shared by companies of all sizes. Does your corporate website proudly show the names and images of directors and senior staff? Maybe even their email addresses too?
Do you allow your staff to identify your business as their employer on their facebook pages? Your employees are likely to have their colleagues as facebook friends so an OSINT reconnaissance can start to piece together who your employees are and what inter-personal relationships exist that can be exploited. A fraudulent email is far more likely to be opened and acted upon if the recipient thinks that it comes from a friend or colleague.
There are many more open sources of information that are available to determined and skilled attackers, but hopefully this has introduced some of the more obvious threats to you.
How to mitigate spear phishing threats
As with most aspects of the human attack surface, the best way to mitigate threats is by user education. It is vital that all employees are constantly on the look out for suspicious emails and if they find one, it should be almost a reflex response to avoid clicking any links and to report it to their supervisor or incident response team immediately
Onus is also placed on the security staff who must keep abreast of the latest threat intelligence both within their industry sector and general cyber security alerts.
The problem is that this forces constant vigilance on already busy staff and it is inevitable that some spear phishing attacks will succeed if the criminals are skilled and determined enough.
This is where technical controls are increasingly being developed and deployed to help detect and mitigate attacks. Because a spear phishing attack will not just use the email system, but will also require browser activity and access to fraudulent websites at URL’s that may already be known, AI based protection systems are becoming increasingly effective at threat detection and mitigation.
Conclusion
Spear phishing is increasingly being used by criminals in an attempt to defraud businesses by eliciting targeted attacks against senior managers within the organisation. If successful, these attacks can lead to large monetary losses. Although these attacks are often “low tech” in nature, they result from detailed and sophisticated reconnaissance of freely available information that companies publish on their website and social media platforms.
It is the human rather than technical attack surfaces that are being exploited by spear phishing so businesses should consider staff education and awareness as the primary defence, however consideration should also be given to limiting the availability of open source information and, should budgets allow, implementing a technical AI driven solution as part of a layered defensive approach.