Spear phishing also referred to as whaling is being used to target organisations or businesses to obtain personal information for fraudulent purposes. Unlike phishing scams these targeted attacks are specific to an organisation or business with a precise outcome in mind.
It has been years since the first phishing scams were used to snag the unsuspecting victim, yet still today these scams remain common and very effective even though people are more aware of them. Unlike phishing scams that send out emails in the millions (in the hope that someone bites), spear-phishing scams (as the name suggests) is a specialised and targeted scam (with sufficient availability of resources) and much more challenging for the organisation to spot.
The scam entails a substantial amount of in-depth research into the target organisation or business, combining technology and social engineering. The research undertaken by the attacker often includes research of the organisation structure, specific functioning and employee information so that the scam can come across as real as possible. Social media is making it a lot easier for the hackers to obtains all the information that they require to pull off a successful scam. Spear-phishing is a greater threat than organisations may expect and is likely to continue to expand.
Organisations are concerned about these scams and many are trying to follow an approach to ensure the security measures are in place to circumvent such attacks. Nevertheless, even with the precautionary measures such as antivirus and anti-spam software and email gateways set up, organisations are still falling victim. A recent investigation confirmed that within the last three years about 7000 companies have been attacked and the successful scams have cost these organisations £520 million.
Many of the large breaches that have recently taken place, started with a spear-phishing scam via an email. Email is largely used for communication within organisations and thus this is a simple approach for attackers to use. It does not take much effort to fake an email address and the attacker is one step closer to the goal.
Phishing scams are happening and are on the rise. Organisations are rightfully concerned and know that they need to have the proper security in place but what further steps can organisations take to better their chances of not being caught out by these highly sophisticated and effective scams.
Know your cyber security status
Organisations should be on guard; it is no longer a case of if you fall victim but rather a case of when. The first step for the organisation is to come to grips with and fully understand their cyber security status so that urgent action can be taken where weaknesses are found. Without this vital understanding the organisation will be unable to properly manage the risks and are likely to experience a problem. With the continuous change happening in both areas of threat and control this process of understanding and managing the cyber security status is no longer something that should happen annually or even quarterly but should be a real-time process that is continuously evaluated and resolved.
Organisations must evaluate the following:
- Level of cyber security risk from the threat faced
- Risk tolerance level of the organisation
- Plan of action or management approach to keep the risk at or below the tolerable level
- Responsibility plan
Manage the risk
An attack is usually successful when a gap is present within the cyber security risk management system. This could involve a security gap with regards to the people, technology or process component. It could also be that a component is insufficient or fails for one reason or another.
We know that spear phishing is a highly targeted form of attack and its success rate is mostly due to how close to reality the scam is and thus often goes unrecognised until it is too late.
It is essential that all employees are aware of the workings of the scam so that they have a better chance of spotting one. Technologies can be used to help secure the organisation however this is not enough. It is very necessary to train employees/users and make sure that they are always alert and aware of the potential danger.
The general working of a spear phishing scam
The attackers aim is to steal company information, credentials, deploy malware or steal money.
The scammer sends an email, highly personalised. The email seems to come from a trusted source and the email address used at first glace looks the same as other frequently used ones within the organisation but on closer inspection it can be noted that this is not the case (but employees are not likely to pick this up easily).
The scammer’s aim is to entice urgency, often the email will pertain to an urgent matter that requires critical action thus taking priority over everything else.
An employee opening the email, sees an email sent from a colleague or a trusted source who they regularly deal with, demanding that they take urgent action. This often involves the recipient following a link to a fake website but because they are unsuspecting and nothing has so far appeared out of place the convincing site is the next step in the scam.
To the employee the site looks and feels authentic and they continue to act on the urgent request by either entering company information and or passwords or providing financial details. Alternatively, the email may require you to download an attachment which will place malware on your computer that can log activity allowing the scammer to access your company information.
The scam has only just been initiated, the attacker has his foot in the door and has acquired the information needed to further facilitate his attack which more than likely will culminate in a breach. A breach is detrimental to the organisation and could involve: loss of data, substantial financial implications, legal ramifications and negatively effect the reputation of the organisation.
Know the warning signs
- Be aware of tactics often used: impersonation, enticement and the bypass of access-control.
- You receive an urgent email that you are not expecting, requesting you to take urgent action often relating to a customer service complaint or legal issue-take caution.
- Take extra care when looking at the sender’s address. It may look similar but not identical or may be one that you do not recognise.
- Look out for incorrect spellings, vocabulary used incorrectly etc.
- The email contains a link to a site or an attachment. It appears authentic complete with logos and branding.
- You are requested to take urgent action, often involving the inputting of company or personal information or the input of financial details, make a payment or download software.
Precautionary measures the organisation can take
- Know your cyber security status and continue to maintain and manage it in real-time.
- Understand the risks imposed by the various components; people, technology and processes and aim to ensure that no gaps are present.
- Educate all employees. Ensure that they know what the scam entails, what to look out for, precautionary processes to take, how to react and if they unfortunately fall victim, how to then react (a plan of action should be documented and followed to help minimise the damage occurred and to remain legally compliant).
- Make it procedure that employees know to never follow links or download attachments within emails received by an unfamiliar sender.
- Refrain from utilising the contacts provided in the email. Verify the identity through calling the organisation directly after locating their contact details from an independent source.
- Make sure the website is genuine. Look for the icon (padlock or key) in the browser showing that the site is secure.
- Ensure your organisations network, computer, mobile devices are appropriately secured and that security is maintained and security software kept up to date.
- Be careful when deciding the information you post to social media. Scammers utilise this publicly available information for spear-phishing/whaling scams. Consider the level of risk associated with the information you choose to make public and determine if the risk is tolerable to the organisation.
- Dispose of documents, data, devices; anything holding information in a secure and appropriate manner to avoid the data getting into the wrong hands and used fraudulently.
- Utilise encryption, encrypt your communications and make it common practice to send encrypted communications within the organisation so that an email out of the ordinary is easily noticed. Encrypt your documents and data in transit as well as when in storage.
- It is important that organisations use the right mix of technologies. Third party technologies from multiple providers, utilised in a layered approach is essential.
- The layered security approach must allow for the necessary visibility, intuition and control that is required to manage and reduce this risk of attack
- Use cutting edge technology solutions
- Include DNS security
- Be sure not to overburden employees/users with security systems as this may lead to employees evading them which is not a good outcome. It is important to ensure the right balance is achieved.
Spear phishing is usually done for financial gain or control of your resources, obtaining trade secrets or highly sensitive information. The attack that follows a successful entry into an organisations environment is usually substantial. These attacks are not random but high-level targeted attacks with a high success rate. A layered technology security approach should be utilised for best results. Furthermore, it is essential that organisations aim to convert employees from a threat vector and attack target to a line of defence. This can only be achieved through training. Tackling such cyber attacks is dependant on a secure environment as well as a change in user behaviour. It is essential to get the balance right.