The idea of using a spear to phish (fish) hearkens back to ancient days, when rod, reel and line were yet to be invented. You can only imagine that fishing in those days did not resemble the serenity of today’s fishing trips. Anciently, such fishing was done in shallow waters without worms or flies. The fisherman used his instincts and experience to locate existing spots where fish would congregate and his keen eye and refined skill to pierce the fish, one at a time. It was strenuous work and frequently fraught with disappointment. This imagery has been chosen as a metaphor for an unfortunate new development in the fight to keep information safe. We’ll discuss ways to keep your information safe from spear phishing but first let’s identify the threat as it now appears.
Just as ancient spear fishing involved targeting one fish at a time, a very specific attack, Spear Phishing identifies the location, as it were, and weaknesses of one specific person or group of people to attack. This differs greatly from the typical Phishing attacks we have seen, which could be aptly compared to fishing with a large net; a technique which results in catching all types of fish, more or less indiscriminately. Possibly, the reason this sort of threat has not existed in the past is that hackers are getting better at obtaining the information required for such attacks. It also might be that companies are getting better at eliminating vulnerabilities, making such tactics more desirable among the undesirables who perpetrate them.
Spear Phishing attacks generally consist of emails sent to specific persons or groups who have access to proprietary systems and information belonging to a company or organization. The emails are different, in that they are not as easy to detect. One person might receive an email which has company logos and a certain amount of inside information accompanied by an opportunity to click on a link. We all know to avoid clicking on links in emails, even from friends and family but an email which looks like it genuinely comes from your employer and is received in your work email address is far more likely to be trusted. The content of the email may provide any one of many ways to get you to click on the link. It might invite you to verify your contact information as a routine company database update or to request access to some new proprietary system needed to do your job. The more inside information the perpetrator can obtain the more effective the attack will be.
The link is nothing new. It will download a virus to your computer and possibly to your company’s systems or it might send you to a legitimate-looking site where your personal information will be requested, including work logins and passwords. The nefarious goal is to get your information or to infiltrate or damage your employer’s systems. This new situation is troubling, particularly to those of us who receive numerous business emails daily and frequent system updates to comply with. Fortunately, there are some simple things you can do to keep you and your employer safe.
As with most prevention plans the first step is education. These Spear Phishers will target the weakest link or links in an organization, so every single person needs to be educated on the risks and what to look for. Without education, most other efforts will be limited and incomplete to varying degrees. It will be up to each company to determine the best ways to mitigate the threat and then to train the employees on how to identify suspicious emails. For instance, most companies periodically remind all employees that any email requesting work passwords would not come from the company itself and therefore would be from some other source. All employees need to exercise a little healthy paranoia regarding emails.
I’m afraid the other remedies to the problem are likely to come from your employer itself. This effort will probably take a few forms. First, every company should identify some hard and fast rules, such as the one I indicated above, regarding work passwords. Some rules could include making sure links are not sent in company emails, making any link a red flag. Second, enhanced firewalls and other software should be used to block outside threats wherever possible. Georgia Tech is working on specialized software intended to combat spear phishing, though the price of the software might make it less of an option for smaller businesses. Third, many companies try to keep the most important information, including customers’ personally identifiable information and proprietary systems on separate networks not accessible to most employees and not open to outside access. This is similar to keeping some assets in a vault to which only a few have the code. Limiting access to systems is a good way to reduce risk!
As with the ancient practice of spear fishing, keeping safe from Spear Phishing is a matter of knowledge and vigilance. Just as fish become leery of certain signs associated with the fisherman’s hook or spear, companies and employees can become aware of the threats posed by today’s spear phishers.
For more information, read Georgia Tech’s article: