IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image

Spear-phishing: Don’t be the ‘Catch of the Day’

Wed, 26th Dec 2012
FYI, this story is more than a year old

Phishing is nothing new, but it's far from old news.

Phishing emails are designed to look like they come from a trusted source and extort personal information, which gets used in a criminal or fraudulent way.

Phishing is mass volume, small pockets of money, adding up to a handsome gain for the bad guys. At first, success rates were high, but as most of us have become better at identifying a phish, success rates have greatly reduced.

So, what's different about spear-phishing?

Spear-phishing techniques are highly targeted, and increasingly being used as the initial wave in more sophisticated malware attacks.

Typically, spear-phishing emails have four common factors:

1. The email pretends to be from a trusted source, often a figure of authority, making it even more pressing for the recipient to open the email.

2. The information in the email is relevant to both the alleged source and the recipient, making it highly targeted.

3. It contains a seemingly valid request for the user to take action e.g., to open an attachment or click on a link. This request is in context with the content of the email.

4. The email is targeted, so is sent out in much lower volumes compared to traditional phishing attacks, making it harder to detect.

Today, the vast majority of targeted attacks start with a spear phish; without the right security in place, users could be unwittingly opening the door to confidential data theft.

Avoid being duped

Dealing with spear-phishers depends on awareness. Every employee should be brought up to speed on what spear-phishing is.

They need to cast a critical eye over emails and avoid clicking on links that could lead to an infected site. If in doubt, users should always type URLs into a browser rather than click on them straight from an email.

To support education, many organisations use fictitious emails to see which users click on the contained links.

Those who do can be taken to training materials about trying to spot a spear phish.

Employers should repeat the process to keep awareness high and employees cautious. In addition, remember to re-educate those who continue to get duped.

The means to an end

Remember that spear-phishing is a means to an end; the ultimate goal is to obtain confidential data. And let's be clear, no security solution can stop 100% of these threats.

While targeted attacks have evolved in frequency and sophistication, many security defences have failed to adapt.

The growing prevalence of cloud apps, along with increases in SSL traffic, mobility and remote users are also adding more blind spots to traditional defences.

Avoid spear-phishers: five key strategies to avoid becoming the ‘catch of the day':

• Security: Adopt a unified strategy that integrates web, email, and data security. Consider home users and mobile devices and layer defences to optimise protection.

• Protection: Communicate best practices to users to protect online identities, lock down Facebook profiles and make sure passwords are strong, changed frequently and not used for multiple online accounts.

• Education: Make sure users can spot a spear phish.

• Acceptance: Accept that you are a potential target no matter what your role or level in the organisation. You are a potential security hole and an opportunity for a criminal to gain entry.

• Reputation: Question the reputation of a link and don't assume it's safe to click on. Just because an email looks like it comes from a reputable source, doesn't mean it has.

If in doubt, don't open attachments and instead of clicking links that could redirect you a compromised website, type the URLs into the browser.

Follow us on: