Here’s a question: what’s tripled in the last year, cost organisations £808 million in financial losses and lost business, and produces 8 victims for every 100,000 targeted users? Answer: spear phishing.
Fraud is now recognised as one of the most commonly committed crimes. Staggeringly, more than 30 million consumers are defrauded each year and in recent years, postal and telephone fraud has quickly transitioned into the digital realm. Online criminals have since refined their techniques to evolve into the highly complex spear phishing. But what exactly is it and how can you protect yourself from falling victim to spear phishers?
In a nutshell, it’s an attempt made by scammers to gain unauthorised access to sensitive data using faked emails. A spear phisher sets their target and undertakes extensive research about them so that they are able to construct sophisticated emails impersonating a colleague or a bank, for example, to trick the targeted ‘phish’ into sharing not only personal data, but also, corporate and highly-sensitive information.
A recent UKFast Viewpoint Seminar focused on spear phishing and social engineering, inviting computer forensic investigator for Greater Manchester Police, Amy Cox, and head of sales for Secarma, Stuart Coulson, to discuss the security risks associated with the cyber threats.
One of the key points raised by Cox was the four possible targets of phishing attacks: little phish, ‘important’ mid-level phish, big phish and unexpected phish.
“The first target is usually a low level technician or administrator who despite not considered to be a prospective data source, could be seen as a possible reconnaissance for bigger phish,” explained Cox. “The second target is a more executive level, an example being a mid-level business person – with the spear phisher using this target as a means of making contacts through their social networking activities using their Facebook, Twitter and LinkedIn accounts.
“The third example – the big phish (aka the ‘whale’) – is where the criminal will send an infected email to the PA of someone within management with the intention of targeting the big phish. Lastly is the disgruntled employee. Phishers may not necessarily be external to the company, with unauthorised access to sensitive data to infiltrate the company as an internal threat.”
So what have we learnt? Well, it appears that the key ingredient to any successful spear phishing recipe is information – the more available it is, the more likely you are to be targeted. The solution? Practising security through obscurity.
Coulson stressed the importance of posting personal data online: “How much personal – and professional – information needs to be available? Whilst it is understandable that social networking through LinkedIn and Twitter could prove fruitful in furthering business partnerships, only reveal the most relevant details appropriate to your business. By eliminating your information, you’re eliminating the risk of spear phishing – obscure yourself to secure yourself.”
Cox added: “Protect the data first and foremost – where is it and who has the ability to access and know about it? Another aspect to take into account is knowing exactly who knows what, as by identifying who your ‘whales’ are you may find that they aren’t necessarily high-ranking; and may be in either the technical or financial vein of the business.”
Educating your staff and your customers on what to look out for is the simplest way to protect against spear phishing, as often the forged emails are so well-constructed that your email system may not even flag them as a risk. Ensure you double check the warning signs and don’t automatically trust your in-house setup.
Cox also recommended the implementation of strict policies for ‘victims’ to adhere to: “Have a set procedure in place if someone suspects an email. Save the email, including the headers, and send it either to your technical department or phone them and read the email – then ask the receiver to open the header. If it appears to be an internal email, telephone whoever allegedly sent it and query their reasons. Should a worker be found guilty, then they must be punished accordingly – it is important for would-be victims to feel that they have an appropriate support system so they can feel confident enough to report an attack.”
The two experts shared some key stats to highlight the risks posed by this cyber threat:
Here our experts’ top tips to prevent you becoming the ‘catch of the day’: