The current prevalence of spear phishing
According to the Verizon Data Breaches Investigation Report, an estimated 43% of breaches in 2019 involved small business victims, while the remainder was spread equally among financial, healthcare, and public sector organizations. The number of breaches could be diminished if more internet users were aware of the practice of spear phishing.
So, what is it? While general ‘phishing’ is an email attempt to scam users into performing inappropriate actions, ‘spear phishing’ is considered to be an email scam targeted at a specific individual or organization. Using information gathered from public sources and other vectors, a scammer targets a high value individual (i.e the CEO, IT admin, etc.).
In an infamous 2015 cyber security attack, a scammer successfully used the tactic of impersonating the CEO of Ubiquiti Networks Inc., sent an email to a targeted user in the accounting department, and requested that the user transfer amounts totaling over $39 million dollars to the criminal’s specified accounts.
Even in 2020, an ongoing scam involves a malicious actor sending an email to a targeted Office 365 user, asking them to open a OneDrive or SharePoint file. When the victim clicks the enclosed link, they are directed to a fake O365 login page where their credentials are captured. With the amount of valuable data contained in an O365 account, hackers may have access to personal or customer data, financials, and potentially to a business’s entire system.
Everyone is a potential target of a spear phishing attack
You, your employees, and your entire organization are potential targets. Spear phishing attacks occur because of the type of information you have access to, whether you login to a bank account at home or handle clinical records, financials, or sensitive client data at work. A seemingly innocuous link can install keystroke logging software, giving a hacker access to all accounts accessed on the device.
Training your employees now can save millions
No matter how seemingly fool-proof your information security protection is, if your employees don’t understand phishing, they could inadvertently help facilitate a breach. Malicious actors can pose as internal employees and ask for sensitive information, or they may appear as a reputable company such as a bank or government entity. You and your employees should be aware of these schemes. Consider the information your business has access to and assess the time and cost incurred if a malicious actor had access to it, or if ransomware permeated your entire network.
Know the signs of a phishing email
Because malicious actors may attack through what appears to be a legitimate email, here are some ways to avoid a phishing scam:
- Don’t trust email display names – Scammers can make these appear as whatever they want them to be (i.e. a company CEO, accounting, bank).
- Check for fake email domains – They may appear as slightly different versions of the real thing.
- Review links carefully – Hover over a link text without clicking. If it differs from the link text or indicates a site you don’t expect, it may be malicious.
- Be cautious of suspicious attachments – When malicious attachments are opened, they can sometimes install malware and infect your machine.
- Watch for poor spelling and grammar – This may be an indicator that it’s not a legitimate message.
- Know what applications and services your company uses – Understanding what applications and services are used by your company can help you determine whether an email is legitimate.
Need Help Preparing?
Your employees are potential targets, so train them to be aware of phishing threats and help mitigate risk for your business. You can assess the knowledge of your internal team with test phishing campaigns. Intrinium has been an innovator in social engineering and penetration testing for more than 10 years, including performing phishing campaigns that test the awareness of your employees. To learn about how Intrinium can perform risk assessment for your business, contact us today.