Phishing attacks are designed to steal your credentials or trick you into installing malicious software and still exist because they are so devastatingly simple and effective. But as with most things they evolve overtime and unfortunately become even more effective.
A phishing attack involves an attacker sending out a malicious email to millions of users. The email is specifically designed to look like it comes from a legitimate source, like a bank, utility service or even the tax office. The aim is to trick the user into logging into a fake online service and then capturing the users login details so an attacker may use them later to enter the genuine service.
By sending out a massive amount of emails, attackers can guarantee that even if only 0.5% of people fall for it, there is still a lot of profit to be made. Spear phishing is a more modern and more sophisticated method that is far more dangerous as it typically targets an individual person or business.
Spear Phishing – A More Dangerous Attack
While a traditional phishing attack throws out a broad net in the hope of capturing as many credentials as possible, spear phishing is much more targeted and precise. The attack is aimed towards convincing a single business, department or individual that a fraudulent email or website is genuine.
The attacker usually starts by building a relationship and establishing trust with the target. By building trust and convincing the target that they are who they are pretending to be as the user is more likely to open attachments, follow links or provide sensitive details.
Consider how many times you have opened an attachment or followed a link just because it has come from someone you trust.
A “Trusted” E-mail
For example a malicious email can appear to have been sent from a vendor you deal with regularly or may even look like an invoice you are expecting to receive. The attackers can even substitute the vendors’ banking details for their own and hope the target will not notice the difference.
Such an attack can be difficult to detect. It takes a keen eye and constant awareness to keep your company protected. A single small mistake by an unaware member of staff can compromise your business accounts in a second.
Defending Your Business
A key way to help stop a spear phishing attack is education. Teaching staff the attack techniques and how to protect against them is the single biggest thing you can do to improve business security.
Whenever you deal with a vendor in a business transaction, you should always consider important questions before proceeding:
- Are you expecting this email?
- Is the vendor attempting to rush you into a quick decision or transaction?
- Have you checked all the details are correct and as you expected?
Sometimes a simple phone call to the vendor can protect you against the worst-case scenario.
IT security hardware and software can also help prevents malicious emails and links from entering the network and shut down the attacks before any damage can be done.
Good Security Practice
As with many types of IT threat, good security practices help mitigate damage. These practices include:
- Locking down security to ensure employees only access the systems they need helps to prevent damage spreading across the network.
- Enforcing unique and strong passwords prevents leaked credentials from affecting systems related to the one that has been compromised. A good password management tool can help with this greatly. Check out our other blog post here on password security.
- Train your staff on common phishing techniques and general security policies.
If you are in Adelaide South Australia then contact us to arrange an audit of your security practices. It could be the difference that protects your company against sophisticated spear phishing attacks.