Email phishing is a serious security issue plaguing companies. Simply put, phishing emails are sent containing a virus, which is activated when someone clicks a link or downloads an attachment. The messages are typically masked as communication from a reputable institution, such as a bank or PayPal, making it easy to fall prey to them if you don’t know what inconsistencies look for. Spear phishing is a more targeted type of email phishing scam, and while it operates on a similar level to phishing, there are important differences to understand to remain safe.
Spear phishing vs email phishing
Like regular email phishing, spear phishing involves an email being sent to a group or individual including a malicious link or attachment that, if clicked, installs malware on the recipient’s device. Such emails can also direct targets to a webpage masked as a reputable site that tricks them into giving personal information like passwords or credit cards.
Familiarity is the main thing that differentiates spear phishing from other email phishing scams while also making spear phishing harder to detect. The hacker takes the time to gather information about the intended target, which is usually a select group or individual versus a large number of people. The attacker is then able to personalize the messaging to a greater degree, usually by making the sender look like a co-worker or a personal contact. By targeting a single person or small group, hackers are also able to include more personal types of information in the email body, making the sender appear more trustworthy. There’s even a subset of spear phishing called whaling, in which the attacker uses these same familiarity tactics to specifically target those at the C-level or above.
In general, the success of a spear phishing email depends on three things: the email sender must be a known, trusted individual to the receiver; the information in the email must be personal enough to ensure validity; and the requested action of the sender must appear to be logical (i.e. it should not ask the recipient to send money to a Nigerian prince).
How to prevent spear phishing attacks
As the No. 1 feature of a phishing attack is the level of personalization, it’s important that businesses protect themselves by limiting would-be attackers’ access to employee information. Here are some tips to help prevent attacks:
- Do not post employee email addresses on the company website. Web forms are a safer alternative for the public to communicate with your employees.
- Regularly scan the internet for exposed email addresses or credentials. You’d be surprised where information ends up.
- Advise employees on the dangers of putting too much personal information on professional social sites such as LinkedIn. In fact, this is a good rule of thumb for any social site.
- As always, educate your users on the danger of phishing. Conduct regular trainings that teach how to spot phishing emails by looking at suspicious email domains and links, awkward/strange email content or suspicious information requests.
It’s important to remember that no reputable source should use email to ask for sensitive personal information such as passwords or financial details. If you think an email could be real, pick up the phone and call the sender to verify the request. Attackers count on their targets not checking information requests thoroughly, so taking a few moments to do so could save a lot of phishing-related time and headaches down the road.
The purpose of this blog is to answer the questions you ask! For more information about our security and managed services, please feel free to contact us today! For other news around business security, check out these blog posts!