Spear phishing causes million dollar losses globally. Online Corpus helps you identify potential threats and mitigate attacks with Email Protector.

Ivan K.
23 Apr 2019

One of the most common methods cybercriminals use is the so called phishing – a cyber attack that is focused on getting access to one’s computer system, its passwords, also credit card data, bank accounts or other sensitive corporate information that could bring them easy money. To get this information cyber criminals are using email, social media, and any form of communication they can to gain access of and steal valuable data. You can find more about the broader term phishingin our previous article

One specific type of cyber attack used by criminals is the spear-phishing. The target of the spear phishing attack is a specific individual or business. This attack is achieved by acquiring personal details on the victim such as their, hometown, employer, locations they frequently visit, and any other online activity they have, or in the other case, information about the business activity, payment methods, style of communication and business associates. The main goal is to deceive the target into clicking or downloading a malware, or into initiating an undesired action such as a wire transfer. Spear-phishing attacks are designed in such a way that the messages are modified to specifically address the victim, assuming that it comes from an entity that they are familiar with and containing specific, detailed personal information. Spear-phishing requires more research and time than phishing. The perpetrators try to obtain as much personal information about their victims as possible to make the emails they send look legitimate thus increasing their chance of fooling recipients. Because of the personal data that is included in the emails, spear-phishing attacks are more difficult to identify than phishing attacks (due to the broader range of the basic phishing attack).This is the reason why spear-phishing attacks are becoming more widespread.

How does spear phishing work

Businesses are most vulnerable to spear-phishing attacks because most of their company data is public and freely available online. This makes the job of the hacker of getting the information needed to perform a phishing attack a piece of cake. The official website of a company and all the other social networks that it is connected to like facebook, linkedin, twitter are full with detailed information about the activity of the company, its ceos, managers employers, customers etc. In a spear-phishing email, these details available online can help the perpetrators to write their email in such a way that it would deceive the recipient enough to convince him to click the malicious link . Once the malware is downloaded the hackers are ready to capture sensitive internal-only data, thus allowing them to have free access to the corporate network and steal intellectual property, corporate data or even worse to easily redirect a payment to a criminal bank account.

So how do we prevent a spear-phishing attack?

Knowing how to protect ourselves online is something that is becoming more and more important nowadays. We share personal information even more than we know or want. In an evolving world full of technology every company is obligated to ensure that its employees are well prepared against cyberattacks. Rule Number One is never to click open emails from senders you don’t know. While working, we get the habit to click and open every single email that we receive, but this is exactly what criminals are waiting for. This is the reason most of the scams succeed. When you receive a deceiving email you don’t even pay attention to the small details that are changed, like misspelled domain names and typos in the email name. This is costing businesses around the world millions of dollars. Worldwide, thre is not one signle solution that manages this kind of attack. Well, fortunately for all of us, we’ve created a free tool that can handle this troublesome situation. Our Chrome extension makes business email communication much more reliable and secure. Education is another important factor.Every company must educate its employees about the different types of cyberattacks and what to pay attention to when exchanging business emails. Senior management, key staff, and financial teams MUST be educated about the effects of spear-phishing and whaling attacks and how to spot them. These employees must be trained to spot the common characteristics of phishing attacks like spoofed senders, unrequested attachments, or spoofed hyperlinks.

Other key factor is practise. Employees must regularly be put through fake whaling attacks to test their knowledge and awareness. These small steps will improve significantly the safety of the business process.

For additional online security you must adhere to these simple steps:

  • Take a few more seconds to create stronger passwords
  • Change passwords regularly
  • Enable a two-step verification (2SV) or two-factor authentication (2FA)
  • Perform regular scans on user and infrastructure systems for malware and keep the software up to date

When you receive an email with changed details (bank accounts, phone numbers, location, addresses, recipients etc.) always double check and personally contact the sender to confirm the changes - this means that you’ve got to put your fear of speaking with someone on the phone away, pick up the phone and make a simple call.

The goal of the attackers is to make employees neglect the changes. Almost always emails like these contain the obvious sence of urgency - urgent reply, an urgent transaction or a specific urgent instruction that one should do. In this way the employee has no time to react and think over the changes.

It’s a hard thing keeping yourself safe. I’ll allow myself to rephrase Bruce Lee by saying that we should take great attention in the words one is using in his day-to-day communication with others. Stay sharp and don’t let yourself be trciked. </span>

Ivan K.

Ivan K.

Ivan is a cyber security specialist with keen interest in latest cyber security trends. He is an expert in the area of phishing and whaling mitigation, and shows great knowledge in business risk evaluation.

comments powered by Disqus

PhaaS Request Submission