How to protect your business against spear phishing
Posted on 2 Jan 2013 at 13:16
Phishing attacks have evolved, so small businesses need to adapt their defences to stay safe, says Davey Winder
Most people are aware of “phishing” attacks: scams initiated via email or on social networks with the aim of getting you to hand over your personal details. However, the scattergun approach of phishing is becoming more miss than hit, as user education improves and the chances of finding a gullible “mark” among the mass mail out decreases. So these phishermen are now looking to more targeted attacks, known as spear phishing. If you run a small business, you and your employees are firmly within the cross-hairs, and your data is at risk.
Spear phishing defined
Tod Beardsley is the Metasploit engineering manager at Rapid7, and he defines spear phishing as "an attack characterised by phishing tactics, such as an email sent to the target with a ‘click here’ call to action that compromises the victim's computer – however, the email is specialised against that particular target”.
“Think of ‘phishing’ as casting a wide net of identical emails, where ‘spear phishing’ is an attack that might call out the victim by name and appear to come from some place the victim is familiar with," he explains.
Spear phishing is far more likely to implement zero-day vulnerabilities in client software than general phishing scams ever did, since the targets will be limited and the chances of them reporting the attack to a security vendor quite low. This means that the valuable zero-day exploit stands more chance of remaining undetected in the wild for longer.
Spear phishing by numbersA survey of 603 UK small businesses in 2012 on behalf of AVG discovered that between January and April, when payments to tax and revenue agencies are at their highest, spear-phishing emails are especially prevalent.
The most common fraudulent messages were designed to appear as if they have come from banks or financial institutions, and only 30.5% of SMBs surveyed would think twice about clicking on a link directing them to the HMRC. 56.9% of the SMBs had received fraudulent emails asking for money, 36.8% had received fake tax rebate emails and 12.3% had been directed to a fake government web page.
The small business is a prime target simply because spear phishing, which devotes larger resources to smaller target groups, looks for high potential value to the attacker. Although larger enterprises are attacked, it’s a mistake for small businesses to think they’re not a target. This common misconception means they’re less likely to be looking for spear attacks, less likely to have the defences in place to protect against them, and less likely to have invested in staff education programmes.
The attacker will already have a profile of your business and specific staff members who have access to bank account information, customer information or other high-value data for corporate espionage purposes. As Tod Beardsley puts it: "if I'm a penetration tester and spear phishing is in scope, I’ll go after your lead developers and get access to your proprietary source code."
Bit9's CTO Harry Sverdlove points a finger towards the explosion of social media – both within the business sphere and, of course, with the staff making good use of the BYOD trend.
"Cybercriminals have taken notice that we live in an interconnected world, where information is too easily traded and shared by the terabytes on Facebook, LinkedIn, Twitter, Instagram and more,” he says. “This free and open access to personal data provides the perfect opportunity for a cyberhacker to infiltrate almost any organisation. Let’s say you want to target a small company. In minutes, you can view its key employees from the company’s website, find the names of their friends or co-workers from their Facebook and LinkedIn profiles, and find out their current interests or projects from their Twitter feed. That’s all a cybercriminal needs to launch a targeted attack, to construct a spear-phishing email."
The simple truth of the matter is that almost every major breach or cyber-espionage campaign against companies that makes the news has begun life as a simple spear-phishing email. "It takes only one poor trusting soul for the attacker to then leverage well-known techniques to establish back doors, steal passwords, and siphon data," says Sverdlove.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- Google I/O live stream and blog: how to watch 2014 Google I/O keynote speech live
- Google testing its own domain registration service
- Adobe announces first hardware: Adobe Ink and Slide
- Vote now in the PC Pro Excellence Awards 2014!
- What’s new in OS X 10.10? Apple Yosemite’s new features
- Samsung Z Tizen phone helps loosen ties with Android
- Microsoft rumoured to launch smartwatch this summer
- LG G3 launched: LG takes the wraps off smartphone that offers “more with less effort”
- LG G3 launch live video stream and blog: as it happened
- Apple fixes iMessage lock-in for Android switchers
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?