Spear phishing scams targeted at businesses have proven to be very lucrative for cybercriminals. Since January 2015, hackers have stolen over $3 billion (USD) from more than 22,000 companies worldwide using a type of spear phishing attack known as a Business Email Compromise (BEC) scam, according to the U.S. Federal Bureau of Investigation (FBI). BEC scams specifically target companies that regularly send wire transfer payments or work with foreign suppliers.
The main reason why BEC and other types of spear phishing scams are so effective is that they are personalized. Cybercriminals spend a considerable amount of time tailoring each email in the hope that its legitimacy will not be questioned.
Hackers use a variety of techniques to get the information they need to personalize spear phishing emails. Sometimes, they will send out a generic phishing email to all employees at the targeted company. The email might request details about the business or a certain individual who works there. Alternatively, the email may install malware designed to obtain records that the hackers need to carry out the scam.
Cybercriminals can also use social engineering techniques to customize spear phishing emails. For instance, they might scour the targeted company’s website, check social media networks, and search the Internet to get information about the business and people they will be sending the email to. Hackers sometimes even call the company to get a job title or email address.
Because spear phishing emails are personalized, they can be hard to spot. Knowing what elements to look for can help you and your employees identify them. However, since cybercriminals conduct research and customize their spear phishing emails, many of the tell-tale signs of phishing emails do not apply:
Despite the lack of these tell-tale signs, there are some elements that might indicate an email is a spear phishing scam:
To protect your business from spear phishing attacks, consider using a two-pronged strategy. First, you should try to prevent spear phishing emails from reaching your employees by keeping your company’s email filtering and anti-malware tools up-to-date. You might even explore an email security solution designed to catch spear phishing and other types of malicious emails. In addition, you should make sure that potentially sensitive information (e.g., employee email addresses) is not publicly available.
Second, you need to educate employees about the personalized nature of spear phishing. Besides letting them know the elements they will and will not find in spear phishing emails, it is important to inform them about the risks associated with clicking email links and opening email attachments. Plus, you should show them how to check for deceptive URLs and spoofed names in the "From" field.
The individual steps required to implement this two-pronged strategy will vary depending on your company’s needs. PC Corp can help you decide the best course of action as well as provide more recommendations on how to protect your business from spear phishing and other email-based attacks.
PC Corp has designed a Security Assessment that can help identify potential risks in your environment and now best to protect yourself. Patching and updating your Firewalls, and Anvi Virus may no longer enough as attackers are now targeting user and user behaviour. Talk to your PC Corp Account Manager about this service and look for an upcoming session on Security coming soon to PC Corp. Email: servicedesk@pccorp.com Phone: (780) 428-3000 x. 3 (sales)
Please feel free to DOWNLOAD and distribute our tipsheet on ‘how to recognize a phishing email’.