Spear phishing – what is it and how can you combat it?

Clare Hopping

Wednesday 22 July 2015

By far the most successful scamming technique on the internet today, spear phishing plays on the personal touch. That makes it that much harder to spot. Is your organisation still leaving itself open to such an attack?

Spear phishing isn’t a particularly new phenomenon, but the means by which anyone can access private information – whether through social media, your own company website or other platforms – have multiplied. Such attacks have therefore become easier to carry out and more prevalent.

Spear phishing is a variation on the original scam. It involves receiving an email sent from an attacker that requests information or requires you to click on a link. But what makes spear phishing more insidious – and crucially more effective – than a standard attack is the fact that the email usually appears to come from someone you know. That could be your manager, the company CEO or anyone who’s close to your organisation.

It’s therefore important to make sure your organisation has the right processes in place to stop it becoming the likely target of an attack, and that starts with educating your staff.

Education is key

“The most important thing is to understand the threat itself. When staff are better educated about the risk that spear phishing emails can pose, they can spot them and protect their business from infection,” says Simon Walsh, Trend Micro enterprise security director.

“Members of staff should be briefed to watch for any suspicious emails. If an individual does open a message of this kind, they must not open any attached documents or links contained in that message.”

“Staff should also look at their social media activity to ensure that their posts aren’t giving away too much about them. It’s all information that can be used to piece together a scam,” Walsh pursues.

What to do if you receive a suspected spear phishing email

If you do receive a suspicious email, don’t even open up the message or reply. Pick up the phone to check if the source is genuine and, at the risk of seeming overly cautious, don’t be afraid to ask questions about the purpose of the email before you click on it.

“Often phishing attacks try to drive us to respond before we have time to stop and think,” Greg Day, VP and CTO of EMEA at FireEye explains. “Nothing is typically that urgent, so sit back, read it over and think about how you action it.”

Don’t confuse trust and the source of the email. The attackers are often able to either spoof or steal trusted identities within your organisation and thereby create the illusion of legitimacy. Again, if in doubt, contact the colleague in person, over the phone, by text or a via collaboration platform, if your company uses one.

If you suspect the address might have been spoofed, simply view the full email header to check that the original address matches the one you’re being shown.

“Look at what they are asking you to do,” Day adds. If they ask you to click on a link, for example, is the link OK? When you hover over the web address, does the hyperlink look legitimate?

“If they are sending you a file, is this a normal thing for them to do? If you can’t validate whether links or embedded files are going to cause you or the business harm, then don’t click or open them,” Day advises.

Using software as a barrier

If you’re using email security software that protects against phishing attacks, make sure it’s always up to date. Security software vendors often release updates whenever a new threat is uncovered and there’s no excuse not to roll this out to your entire organisation.

If you are able to, set up your email servers not to relay mail that claims to be from your domain but didn’t originate from your internal servers. Then, if anyone is trying to send an email pretending to be from your organisation, it will simply not be delivered.

Use a different password for every service you use. If you struggle to keep track of them, use a password manager – that way you will only need to remember the password for the manager rather than for every service you use.

Create your own ‘human firewall’ 

Spear phishing attacks are often very well-crafted, with the fact that the sender is often seemingly someone you know making it more likely that you’ll fall into the trap.

To avoid your company falling prey to an attack, beyond assiduously maintaining and deploying all the relevant security software, try to create your own ‘human firewall’ by educating employees about what to look out for.