The latest twist on phishing is spear phishing. No, it's not a sport, it's a scam and you're the target. Spear phishing is an email that appears to be from an individual or business that you know. But it isn't. It's from the same criminal hackers who want your organisation's passwords, and its financial information.
Spear phishing is a targeted form of email deception that differs from phishing attacks in that the victim is specifically targeted and carefully researched. As opposed to normal phishing attacks which target a bulk of recipients and only minimal attempt is made to “customise” the phishing email for an individual, spear phishing emails are targeted at specific individuals.
They are professionally constructed with a high degree of context specificity and made to appear as though they have been sent by an individual or organisation known personally to the recipient. Attachments and links are carefully constructed so that the likelihood of the victim clicking on these is greatly increased, and a malicious payload is delivered to the target computer.
On account of their highly targeted and focused nature, a spear phishing campaign is likely to be undetected for a long time if it does not arouse initial suspicion. When combined with zero day vulnerabilities the likelihood that a successful infection is detected by existing technical controls is reduced even further.
High success rates
Spear phishing attacks therefore have high success rates and can result in the compromise of individual devices and confidential information stored on these devices. More importantly, attackers are using spear phishing as a route to penetrate deeper not only into an organisation’s own network, but also into the networks of their suppliers and partners – these are more often than not the real targets of the attackers. Large organisations are therefore exposed to significant risk from the most innocuous and insignificant of their partners and suppliers. Indeed, industry analysis shows that while on the one-hand, the volume of spam and phishing emails is decreasing, the number of successful spear phishing attacks has been increasing steadily.
What Organisations are doing about it
Spear phishing requires organisations to deploy effective technical controls, but more importantly, requires strong levels of security awareness so that users are able to look for the warning signs that can highlight that they are being targeted; or indeed, if nothing else, to become aware sometime after the fact, so that remediation procedures can be initiated. Mature organisations invest heavily in both technical security controls and in security awareness training for their staff. They are also beginning to invest heavily in pro-active intelligence gathering about their own organisations and people, to identify and remove information online that could be used by an attacker. However, these controls can sometimes be limited in their effectiveness against a spear phishing attack that leverages weaknesses in the security controls of a partner or supplier.
Most organisations conduct some form of due-diligence on their third parties as well as in the annual/bi-annual assessment of the security postures via some form of audit. Third parties are also contractually bound to follow certain procedures to communicate and remediate an identified breach. While these are all necessary and useful controls, as spear phishing rates increase and as attackers target and focus on the smallest and most innocuous of suppliers and partners, the onus on both small organisations to tighten their security posture, and on larger organisations in assuring the security of their suppliers and contractors increases. More mature organisations may in fact benefit from supporting their less mature partners and suppliers in improving their security posture, rather than following a mandate and audit approach. Smaller organisations that can demonstrate mature security levels are also likely to benefit as they will be more attractive partners for larger organisations as the threat of spear phishing continues to grow.
Phishing is one of the most devious forms of identity theft and it is important that you to become familiar with various types of scams as well as to learn how to guard against them. Talk to 7Safe’s Cyber Security experts to learn what you can do to protect your (and your customer’s!) confidential data https://www.7safe.com/about-us/contact-us.