A highly-targeted variant of typical phishing, “spear phishing” is a technique used by cyber criminals in which they send an email that appears to be from a friend or colleague that either encourages recipients to download malicious attachments, click on malicious links, or send sensitive personal or professional information back to the sender.
When you consider that cyber criminals have been known to make off with employee W-2 information, critical banking information, and other sensitive financial documents, the importance of teaching your users how to take precautions and avoid falling victim to phishing attacks becomes clear.
How Spear Phishing Works
Spear phishing emails go well above and beyond the typical spam message. Using information they uncover about their targets online, they personalize their emails and make them appear as convincing as possible. This can include information pulled from victims’ social media accounts, or from a simple Google search.
Unfortunately, once someone takes the bait and clicks on a link in the phishing email their computer can quickly become infected with malware that can steal the critical company information, wreck their system, or encrypt their hard drive until your company pays an outrageous ransom to the people holding the data hostage.
5 Tips for Keeping Employees Safe
Given the dangers of opening a spear phishing email it’s important to keep your users informed and vigilant. Here are some tips and best practices to pass along that can help protect them from spear phishing:
Check twice, click once. Remind your users to stop before they click on any links in an email, they should check the email headers to ensure they come from a legitimate source. Even then, you should also get them to hover over the hyperlink to see the destination URL first. Spear phishers will often hide their URLs in email text with things like “click here” or “fill out this form” in order to trick an employee into clicking without thinking. Hovering over email link text will reveal the website that the link is pointing to. If it’s not familiar, do not click the link!
Not sure about an email? Check with the sender.
A favourite tactic of spear phishers is to find a list of executives at a company and send emails impersonating those executives to get employees to reveal sensitive information. Remind your employees that if they get an email with any request that seems out of the ordinary – no matter who it is from – they should check with the sender by face to face or telephone, just to confirm. If that colleague states they didn’t send it, then report this to management or your IT people urgently.
Get in the habit of never sending confidential information via email.
It is common to find spear phishers emailing employees and asking for confidential business information, or money transfers. If anyone asks for employees passwords, bank statements, or corporate banking information then that should be a red flag to you.
Avoid posting too much personal information online.
A spear phisher’s strategy is using the personal information they find out about their potential targets online. Remind your employees that posting too much personal information publicly can help these attackers successfully breach your company.
Encourage your users to be especially careful to avoid posting their work phone numbers online. Many spear phishers will try calling and pretending to be IT staff or admins to assure employees that they should send them the information they requested.
Given the potential profits that these criminals can gain from spear phishing, it seems only likely it will become a larger problem within IT security. However, with the right tools, training, and strategy you can keep your employees and your company safe.