8 Ways to Avoid Spear Phishing
Phishing is an attack designed to trick end-users into giving away confidential information, typically by sending an email posing as a legitimate organization (like a financial institution) and linking to a website disguised as one associated with that institution. Spear phishing is a more sophisticated version of phishing that takes these attacks to the next level. Instead of sending mass communications to a large group of people, spear phishing specifically targets individuals using personal information such as geographic location, recent purchases, or a list of colleagues to make their requests seem more believable.
Why Spear Phishing?
Spear phishing is becoming increasingly more common because the attacks are harder to identify than traditional phishing attacks. The e-mails and phone calls are more personalized so more people fall into the trap.
What do these attacks look like? As an example, you may be a PC user who gets a phone call from someone claiming to be from Microsoft who needs to resolve an issue with the latest Windows update. Another example is one of your finance team members receives an email from “you” asking them to pay the attached invoice right away.
Social Media and Company ‘About Us’ Pages
Your social media profiles are an asset to spear phishing attackers. The more personal information that you make publicly available, the more these attackers can personalize their communications to you and pose as a reputable contact. LinkedIn profiles and the company’s ‘About Us’ website also illustrate who works at the company and attackers can start to connect the dots regarding employees and their managers.
Preventing Spear Phishing Attacks
Defending against attacks like this is a multi-layer approach. Make sure you have the following in place:
- A robust and properly configured spam filter
- A credible anti-virus program that updates in a cloud environment (not on your computer)
- Ensure the ‘junk email’ filter is turned on within your email client
- A web proxy server (to help block malicious websites that distribute malware, and also provide encryption services so that your data is not easily found)
Additional tactics that will help prevent a successful attack:
- Avoid listing email addresses of employees on your website (use a web form instead)
- Ask your Managed IT Service Provider to regularly scan the dark web for exposed email addresses and/or credentials (and change complex passwords often)
- Remind your end-users about the dangers of leaving all kinds of personal information on social media sites.
- Ask your Managed IT Service Provider to provide security awareness training combined with pre- and post-simulated phishing testing to make sure end-users keep IT security top of mind. Since 91%* of successful attacks use spear-phishing to get in, this will get you by far the highest ROI for your security budget. [*According to TrendMicro.]
What to Do if You’ve Been Attacked
Spear phishing attacks continue to become more sophisticated, and mistakes can happen. If you are caught in an attack, what can you do to mitigate the damage? The first step is to contact a highly-certified Managed IT Service and/or Managed IT Security Provider. At Parachute, we are your trusted technology resource. We will help figure out exactly what was stolen by the hackers and help to unwind the damage that was done.