How to protect your business against spear phishing
Posted on 2 Jan 2013 at 13:16
Phishing attacks have evolved, so small businesses need to adapt their defences to stay safe, says Davey Winder
Most people are aware of “phishing” attacks: scams initiated via email or on social networks with the aim of getting you to hand over your personal details. However, the scattergun approach of phishing is becoming more miss than hit, as user education improves and the chances of finding a gullible “mark” among the mass mail out decreases. So these phishermen are now looking to more targeted attacks, known as spear phishing. If you run a small business, you and your employees are firmly within the cross-hairs, and your data is at risk.
Spear phishing defined
Tod Beardsley is the Metasploit engineering manager at Rapid7, and he defines spear phishing as "an attack characterised by phishing tactics, such as an email sent to the target with a ‘click here’ call to action that compromises the victim's computer – however, the email is specialised against that particular target”.
“Think of ‘phishing’ as casting a wide net of identical emails, where ‘spear phishing’ is an attack that might call out the victim by name and appear to come from some place the victim is familiar with," he explains.
Spear phishing is far more likely to implement zero-day vulnerabilities in client software than general phishing scams ever did, since the targets will be limited and the chances of them reporting the attack to a security vendor quite low. This means that the valuable zero-day exploit stands more chance of remaining undetected in the wild for longer.
Spear phishing by numbersA survey of 603 UK small businesses in 2012 on behalf of AVG discovered that between January and April, when payments to tax and revenue agencies are at their highest, spear-phishing emails are especially prevalent.
The most common fraudulent messages were designed to appear as if they have come from banks or financial institutions, and only 30.5% of SMBs surveyed would think twice about clicking on a link directing them to the HMRC. 56.9% of the SMBs had received fraudulent emails asking for money, 36.8% had received fake tax rebate emails and 12.3% had been directed to a fake government web page.
The small business is a prime target simply because spear phishing, which devotes larger resources to smaller target groups, looks for high potential value to the attacker. Although larger enterprises are attacked, it’s a mistake for small businesses to think they’re not a target. This common misconception means they’re less likely to be looking for spear attacks, less likely to have the defences in place to protect against them, and less likely to have invested in staff education programmes.
The attacker will already have a profile of your business and specific staff members who have access to bank account information, customer information or other high-value data for corporate espionage purposes. As Tod Beardsley puts it: "if I'm a penetration tester and spear phishing is in scope, I’ll go after your lead developers and get access to your proprietary source code."
Bit9's CTO Harry Sverdlove points a finger towards the explosion of social media – both within the business sphere and, of course, with the staff making good use of the BYOD trend.
"Cybercriminals have taken notice that we live in an interconnected world, where information is too easily traded and shared by the terabytes on Facebook, LinkedIn, Twitter, Instagram and more,” he says. “This free and open access to personal data provides the perfect opportunity for a cyberhacker to infiltrate almost any organisation. Let’s say you want to target a small company. In minutes, you can view its key employees from the company’s website, find the names of their friends or co-workers from their Facebook and LinkedIn profiles, and find out their current interests or projects from their Twitter feed. That’s all a cybercriminal needs to launch a targeted attack, to construct a spear-phishing email."
The simple truth of the matter is that almost every major breach or cyber-espionage campaign against companies that makes the news has begun life as a simple spear-phishing email. "It takes only one poor trusting soul for the attacker to then leverage well-known techniques to establish back doors, steal passwords, and siphon data," says Sverdlove.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on email@example.com
- Facebook testing keyword searching in old posts
- Google promises faster Chrome with 64-bit support
- iPhone 6 release date, specs/features and rumours: when is the new iPhone 6 coming out in the UK
- Sony Xperia Z3 specs leak online
- Windows 8.2/Windows 9: release date, features and free cloud version
- Samsung Galaxy Alpha release date, specs and rumoured price in the UK
- Vodafone has worst reception but Ofcom tests questioned
- Boxed iPhone 6 photos leak online
- Still on IE8? You've got 18 months to upgrade
- iPhone 6 launch event tipped for 9 September
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office