Skip to navigation
Enterprise
How to protect your business against spear phishing

How to protect your business against spear phishing

Posted on 2 Jan 2013 at 13:16

Phishing attacks have evolved, so small businesses need to adapt their defences to stay safe, says Davey Winder

Most people are aware of “phishing” attacks: scams initiated via email or on social networks with the aim of getting you to hand over your personal details. However, the scattergun approach of phishing is becoming more miss than hit, as user education improves and the chances of finding a gullible “mark” among the mass mail out decreases. So these phishermen are now looking to more targeted attacks, known as spear phishing. If you run a small business, you and your employees are firmly within the cross-hairs, and your data is at risk.

Spear phishing defined

Tod Beardsley is the Metasploit engineering manager at Rapid7, and he defines spear phishing as "an attack characterised by phishing tactics, such as an email sent to the target with a ‘click here’ call to action that compromises the victim's computer – however, the email is specialised against that particular target”.

“Think of ‘phishing’ as casting a wide net of identical emails, where ‘spear phishing’ is an attack that might call out the victim by name and appear to come from some place the victim is familiar with," he explains.

Spear phishing is far more likely to implement zero-day vulnerabilities in client software than general phishing scams ever did, since the targets will be limited and the chances of them reporting the attack to a security vendor quite low. This means that the valuable zero-day exploit stands more chance of remaining undetected in the wild for longer.

Spear phishing by numbers

A survey of 603 UK small businesses in 2012 on behalf of AVG discovered that between January and April, when payments to tax and revenue agencies are at their highest, spear-phishing emails are especially prevalent.

The most common fraudulent messages were designed to appear as if they have come from banks or financial institutions, and only 30.5% of SMBs surveyed would think twice about clicking on a link directing them to the HMRC. 56.9% of the SMBs had received fraudulent emails asking for money, 36.8% had received fake tax rebate emails and 12.3% had been directed to a fake government web page.

The small business is a prime target simply because spear phishing, which devotes larger resources to smaller target groups, looks for high potential value to the attacker. Although larger enterprises are attacked, it’s a mistake for small businesses to think they’re not a target. This common misconception means they’re less likely to be looking for spear attacks, less likely to have the defences in place to protect against them, and less likely to have invested in staff education programmes.

The attacker will already have a profile of your business and specific staff members who have access to bank account information, customer information or other high-value data for corporate espionage purposes. As Tod Beardsley puts it: "if I'm a penetration tester and spear phishing is in scope, I’ll go after your lead developers and get access to your proprietary source code."

Bit9's CTO Harry Sverdlove points a finger towards the explosion of social media – both within the business sphere and, of course, with the staff making good use of the BYOD trend.

"Cybercriminals have taken notice that we live in an interconnected world, where information is too easily traded and shared by the terabytes on Facebook, LinkedIn, Twitter, Instagram and more,” he says. “This free and open access to personal data provides the perfect opportunity for a cyberhacker to infiltrate almost any organisation. Let’s say you want to target a small company. In minutes, you can view its key employees from the company’s website, find the names of their friends or co-workers from their Facebook and LinkedIn profiles, and find out their current interests or projects from their Twitter feed. That’s all a cybercriminal needs to launch a targeted attack, to construct a spear-phishing email."

The simple truth of the matter is that almost every major breach or cyber-espionage campaign against companies that makes the news has begun life as a simple spear-phishing email. "It takes only one poor trusting soul for the attacker to then leverage well-known techniques to establish back doors, steal passwords, and siphon data," says Sverdlove.

1 2
Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
Be the first to comment this article

You need to Login or Register to comment.

(optional)

For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on pictures@dennis.co.uk

advertisement

Latest News StoriesSubscribe to our RSS Feeds
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.