Prefer to listen to this piece?
What do you think is the greatest threat to your company’s cybersecurity? Would you say weak passwords? Unsecured WiFi? Unsafe usage of IoT devices? Those are some pretty good guesses, but the top security threat to your company’s system is you.
Email “phishing” attacks are still among the top cybersecurity threats to companies of all sizes. You’re probably saying, “I’m not clicking on anything that’s not directly sent for me”, that wisdom is still no defense for one of the most prevalent cybersecurity schemes: spear phishing.
“How is spear phishing different from regular phishing?”
The difference between a typical phishing scheme and a spear-phishing scheme is the precision of the attack.
Much like a fisherman drops a baited line, waiting for any fish who happens to be swimming by to take the bait, classic phishing occurs when some form of cyber threat sends out many emails containing malicious software links to a group — whether it’s a certain company or the contact list of their latest victim. When the victim interacts with the email, their systems typically become infected if preventative measures are not taken. While scary, many people would recognize an old fashion style phishing email if it landed in their inbox. In fact, most of the dead giveaways of a phishing email would typically be caught by your email client.
Spear Phishing Definition
As the name implies, spear phishing is a style of cyber-attack where the attacker targets a specific individual victim instead of whoever happens to take the bait. A nautical spear fisherman doesn’t just fill the sea with spears, hoping to hit a fish. They take their time, looking to find a fish worth pursuing. They know where the fish can be found and how they behave. Much like the actual nautical spear fisherman, an online spear phishing attacker has a good amount of knowledge about their specific target.
Spear phishing has become increasingly easier for attackers due to the wealth of information available about the average person online. From social media accounts to company website profiles and more, a spear phisher is armed with enough knowledge to attack victims through familiarity.
Spear phishers use details about the victim’s life that the victim assumed only friends, family, co-workers, personal banks, healthcare providers or even government agencies would know about them. When targets let their guard down, that’s when the threat is able to get their victim to divulge information or allow access to a malicious stranger they assume is legitimate.
“How do I protect myself against a spear-phishing attack?”
It's easy to feel helpless against spear phishing in this day and age. Who are we to trust? Here are some quick tips to help protect you against a spear-phishing attempt.
Even if an email sender looks familiar, double-check the address.
A favorite spear-phishing technique is to mask the true sender’s email address to avoid suspicion. Certain emails requesting you engage with links or submit sensitive information may be phishing schemes from familiar-looking email addresses. Double-check to make sure that an email address truly belongs to the person they claim to be. When in doubt, simply call the phone number you already have on file for them or through the organization's official website. Never use the phone number provided by a suspected spear phisher.
Don’t send confidential information over email.
Most companies, banks, healthcare providers, or government agencies will never request that you submit sensitive data via email. Even if there is a link provided to visit a website to submit such requested information, remain skeptical. Hover over any links before clicking on them to make sure they are hyperlinked to a website address you know to be correct. Again, when in doubt, call ahead.
When in doubt, double-check on your end.
If you receive a request from a familiar bank, government agency, or other organization requesting you to take any action that may put sensitive data at risk (for example, a request for you to update your password), do not initially engage with the email. Instead, reach out to the organization through the contact details you know to be correct (a phone number on your bank card or health insurance card, etc.) to verify that this request came from them.
Watch what you post online.
This is as good a time as ever to reaccess not only your behavior on social media but also your security settings. Limit posting personal details that can be used by spear-phishers in later attacks. Thoroughly examine the privacy settings of your social media accounts. There’s a good chance that more information is available about you for anyone to acquire than you thought. Periodically search for yourself online to see what is available.
Always assume you’re being phished.
Until an email sender can successfully prove that they are who they claim to be, the safest thing you can do is simply assume that every request for sensitive information is a phishing scheme. Being proactive and vigilant against cybersecurity threats greatly decreases your chances of falling victim.