Spear Phishing: Tricking one employee at a time
Business emails have emerged as the most used form of phishing and recent statistics bear testimony to this.
According to CISCO, spear phishing constituted 65% of all the phishing attacks that took place in 2021 across the globe. Reports of business email compromises and similar techniques were received from around 79% of the organizations in 2021. One of the biggest challenges faced by organizations today is to ensure data security and defend against sophisticated cyber-attacks. Fraudsters are now equipped with trust-winning tactics and abilities which make the employees more vulnerable to spear phishing.
Let’s understand what spear phishing is and why it’s high time organizations take serious action against this.
What is spear phishing?
Spear phishing adopts a granular approach in terms of undertaking a phishing attack. It involves sending targeted messages through emails to employees working in specific organizations to extract confidential information from such credible sources. These emails, by creating a sense of urgency, may require the employees to share sensitive information which is then misused in numerous ways by the fraudsters, including carrying out unauthorized financial transactions.
The key player in the entire process is the personalization factor which compels the employees into believing that the message is genuine. Certain other elements like time constraints for supplying the information etc. are also used to further confuse and trick the targets.
But, why would an employee randomly respond to any mail which simply states their name and asks for a piece of confidential information? Let’s take a look.
How does spear phishing work?
The entire process begins with a social engineering tactic whereby fraudsters conduct preliminary research about the target employee, his/her job role, and personal details like Date of Birth etc. through social media accounts. Other than the name, the research can be as strong as stating the last organization an individual worked with to develop trust.
Using such information, a highly personalized email is drafted from a fake address to trick the employee into believing that the source is legitimate and from within the organization. In the mail, they are provided with a malicious link which when clicked may either install the malware in the target’s device or redirect them to a seemingly genuine webpage created for carrying out the fraud.
The emails also consist of links to survey forms or password-protected documents which require the users to fill in the details including the user login and password credentials related to work. As the employees have been tricked using a first name and company-based information, they end up supplying confidential data to the attackers.
The sense of urgency in the mail is created by providing a deadline to complete the specific job to prevent legal charges, account shutdown or any form of financial losses.
How to protect against spear phishing?
1. The first preventive step to avoid any phishing activities within the organization is to ensure that all the applications, internal software and operating systems are up-to-date and free of malware. The moment any red flag is visible in this sphere, it must be dealt with seriously
2. It is important to educate the employees on phishing attacks that they are susceptible to and most importantly, the difference between genuine and fake mail. For example, in case an employee is receiving emails regularly from [email protected] but suddenly gets an email someday from [email protected], they must be educated enough to report this to the cybersecurity team
3. Organizations can restrict the nature of professional information which can be shared by the employees on their private social media accounts. This way, they shall be able to eliminate the risk of falling prey to the social engineering tactic employed by fraudsters
4. Employment of anti-phishing tools and onboarding vendors who offer similar solutions can serve as a useful way of detecting and blocking any form of phishing activities