Kylie Addision Sabra
October 18, 2019
Spear Phisher is one of the more erudite of the phishing fleet. We briefly met a few members of the crew in a previous article. Unlike Jane, who blows people out of the water by the millions with her dynamite phishing techniques, Spear takes a more calculated approach. Like a master detective, he’s watching and listening and he knows exactly where to aim the tip of his spear.
He seeks sensitive, salable information, which he often comes by as a result of data breaches. He’s a big fan of social media where people gladly share personal information with total strangers. Armed with these details, he deceives key employees into divulging information that allows him to access corporate secrets and finances.
Spear Phishing Feeds off Previous Data Breaches
Social media breaches are prime fishing grounds for Spear. He gains a clear picture of people’s roles within an organization. He sees who supports them and what kinds of information they may have access to. If you have been a victim of a data breach, you might soon receive a visit from Mr. Phisher.
In the past, he targeted senior executives and their assistants. However, according to Verizon’s 2019 Breach Investigation Report the most frequent target is C-level executives. He is after your login credentials and he’s got a tackle box full of lures to get them–impersonating anyone from a trusted assistant to an executive to get information from the IT crew. Spear Phisher also targets lower-level employees in the hope they lack adequate training in how to recognize and respond to his phishing attempts.
He is not content with his counterparts’ menial (his word) pursuits of gaining access to credit and debit cards. He wants access to potential mergers and acquisitions–fodder for the inside trader. He’s looking for product development plans that can be sold to rival companies or even rival nations.
Small Business is Attractive Target
Think you are too small to be of interest to spear phishing? The hacking world has evolved and entry is easy thanks to “how to” articles and videos, available on the Dark Web, that put YouTube handyman tips to shame. Whereas breaking into big business requires the skills of a more sophisticated hacker, small businesses are a relatively easy target.
The losses suffered by big business are staggering, but usually recoverable in time. And with deep pockets, they have time. Small businesses can scarcely afford the potential fines levied for exposing clients’ personal information. Nor can they survive the loss of new-product plans that could have been the next billion dollar venture. But, there is another loss that is even more devastating–the loss of their clients’ trust.
Avoiding Spear Phishing Lures
While email filtering does not offer 100% security, it is still an important tool.
Institute a company-wide data security training program.
Teaching your staff about the latest threats (including spear phishing), how to recognize them and how to respond is your best line of defense.
Have clear and actionable security processes.
Phishers love finding out that your company has no BYOD (bring your own device) policy. Personal laptops, USBs and other devices provide easy entry into your inner sanctum. Adopt a zero-tolerance BYOD policy.
Develop and enforce a password security policy.
Use a password program that will create complex and random passwords and store them.
Require multi-factor authentication (MFA). This involves receiving a text or email code to insert after your login, adding another layer of security.
Force or require regular password changes.
Continually monitor your network.
Scrupulous monitoring can reveal suspicious activity before it becomes a danger.
Ensure you are using the latest software updates.
Software updates are about far more than bringing you the latest interface; they are in large part about security and shoring up security weaknesses. Over time, hackers discover and exploit weaknesses in software. Failure to promptly install updates leaves you vulnerable.