How to protect your business against spear phishing
Posted on 2 Jan 2013 at 13:16
Phishing attacks have evolved, so small businesses need to adapt their defences to stay safe, says Davey Winder
Most people are aware of “phishing” attacks: scams initiated via email or on social networks with the aim of getting you to hand over your personal details. However, the scattergun approach of phishing is becoming more miss than hit, as user education improves and the chances of finding a gullible “mark” among the mass mail out decreases. So these phishermen are now looking to more targeted attacks, known as spear phishing. If you run a small business, you and your employees are firmly within the cross-hairs, and your data is at risk.
Spear phishing defined
Tod Beardsley is the Metasploit engineering manager at Rapid7, and he defines spear phishing as "an attack characterised by phishing tactics, such as an email sent to the target with a ‘click here’ call to action that compromises the victim's computer – however, the email is specialised against that particular target”.
“Think of ‘phishing’ as casting a wide net of identical emails, where ‘spear phishing’ is an attack that might call out the victim by name and appear to come from some place the victim is familiar with," he explains.
Spear phishing is far more likely to implement zero-day vulnerabilities in client software than general phishing scams ever did, since the targets will be limited and the chances of them reporting the attack to a security vendor quite low. This means that the valuable zero-day exploit stands more chance of remaining undetected in the wild for longer.
Spear phishing by numbersA survey of 603 UK small businesses in 2012 on behalf of AVG discovered that between January and April, when payments to tax and revenue agencies are at their highest, spear-phishing emails are especially prevalent.
The most common fraudulent messages were designed to appear as if they have come from banks or financial institutions, and only 30.5% of SMBs surveyed would think twice about clicking on a link directing them to the HMRC. 56.9% of the SMBs had received fraudulent emails asking for money, 36.8% had received fake tax rebate emails and 12.3% had been directed to a fake government web page.
The small business is a prime target simply because spear phishing, which devotes larger resources to smaller target groups, looks for high potential value to the attacker. Although larger enterprises are attacked, it’s a mistake for small businesses to think they’re not a target. This common misconception means they’re less likely to be looking for spear attacks, less likely to have the defences in place to protect against them, and less likely to have invested in staff education programmes.
The attacker will already have a profile of your business and specific staff members who have access to bank account information, customer information or other high-value data for corporate espionage purposes. As Tod Beardsley puts it: "if I'm a penetration tester and spear phishing is in scope, I’ll go after your lead developers and get access to your proprietary source code."
Bit9's CTO Harry Sverdlove points a finger towards the explosion of social media – both within the business sphere and, of course, with the staff making good use of the BYOD trend.
"Cybercriminals have taken notice that we live in an interconnected world, where information is too easily traded and shared by the terabytes on Facebook, LinkedIn, Twitter, Instagram and more,” he says. “This free and open access to personal data provides the perfect opportunity for a cyberhacker to infiltrate almost any organisation. Let’s say you want to target a small company. In minutes, you can view its key employees from the company’s website, find the names of their friends or co-workers from their Facebook and LinkedIn profiles, and find out their current interests or projects from their Twitter feed. That’s all a cybercriminal needs to launch a targeted attack, to construct a spear-phishing email."
The simple truth of the matter is that almost every major breach or cyber-espionage campaign against companies that makes the news has begun life as a simple spear-phishing email. "It takes only one poor trusting soul for the attacker to then leverage well-known techniques to establish back doors, steal passwords, and siphon data," says Sverdlove.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- iOS 7.1: what's new?
- Europol warns: public Wi-Fi isn't safe
- IDC: iPad intertia opens door for Windows tablets
- Rivals put on notice as Spotify snaps up The Echo Nest
- Windows 8.1 Update 1 leaks via Microsoft's website
- Mozilla questions why Dell charges £16 to install Firefox
- Hundreds of NHS sites vulnerable to hackers
- Samsung Chromebook 2 gets faux-leather look - and bloatware
- Windows 8.1 Update 1 hits RTM
- Hackers take Meetup.com offline over $300 ransom
- CeBit 2014 diary: Cameron comes to town
- The 5 most interesting UK businesses at SXSW
- Quickest way to upload 1GB? Hop on a train
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book