Addressing Threats from Scam Emails
Spear-phishing is an email attack intended to trick you into taking an action, for instance clicking a bad link, providing your login/account information, or sending money.
Here are some typical examples:
The technique – used by hackers, criminal groups, and nation-states alike, has been around for a long time. Remember the old Nigerian email scams, with bad grammar and ham-handedness? The difference is that the methods used today have become more sophisticated.
Spear-phishers do their research on you or your company to make their email as believable as possible at first glance. Why? Studies show recipients open roughly 25 percent of cold email solicitations. Personalize it somehow or add a sense of urgency and that number goes up to over 50 percent. And once it’s open, it’s a small step to clicking on that link. A relatively small spear-phishing campaign of just a handful of different emails is likely to get someone to click the link or enter their information, opening the door to your network.
The Appeal of Spear-Phishing
Spear-phishing remains the primary method for hackers to get into your network. Although there are other methods, spear-phishing is a proven and effective method to trick employees into revealing their login credentials, thus giving the hacker an easy way in. And intruders who log in using legitimate, if stolen, credentials can be in the network for a while before they’re detected – causing all kinds of damage or stealing important data. And, of course, users often use the same password for many different sites and accounts, giving the attacker even more areas to exploit.
Victims often don’t realize how valuable it might be for someone to have access to their information. In addition to the obvious financial information or personally identifiable information that can be used for identity theft or other financial schemes, employees have access to all kinds of information the attacker may be able to use. Employees in shipping have billing information, the facilities team has service information, and the upper echelons of the organization have access to the company’s crown jewels – intellectual property, patents, or strategy. And perhaps more important, once a company login has been compromised, attackers often send additional attack emails from within the system, giving them even more information to exploit and more areas to cause damage.
Protecting Yourself and Your Network
The first step to protecting yourself is also the most difficult. Employees need to be trained to recognize suspicious email and what to do with them. Recognizing the email gets harder and harder as the attackers are continuously improving their bait techniques. Spear-phishing is generally tailored to the recipient, which reduces the natural suspicion of unsolicited email. It also capitalizes on the victim’s workload – we all receive so many emails each day, that a legitimate looking one gets opened almost out of habit. Legitimate email from financial institutions and other businesses/vendors will not ask for credentials. Training should be comprehensive and ongoing. In practice, once-a-year web-based courses have proven to be somewhat ineffective; employees need to be on their toes year-round.
Network technology is the second key part of protection. Intrusion detection systems and real-time monitoring for suspicious activity and connections can provide timely warnings of compromise.
Finally, preparation for attacks, while often overlooked, is the key to limiting the damage from a spear-phishing or other cyber attack. A review of company policy and governance of network use and response is a good start for understanding your company’s security posture. And a plan for how to respond to a successful compromise in terms of procedures to follow and who will be involved will make for a more effective and speedy response to an incident.
The views expressed in this article are those of the author and do not necessarily represent the views of Navigant Consulting or any of our clients.