Phishing attacks targeting businesses are a growing problem, particularly targeted phishing that is difficult for employees and managers to see through. Phishing is not traditionally targeted, so how can cyber criminals target a specific person in a company?
Spear phishing vs. phishing
Traditional phishing is a form of cyber fraud in which cyber criminals pose as legitimate businesses, governments or organisations for malicious reasons. They use various strategies to lure their victims into providing sensitive information that they can later exploit. They may also trick victims into installing malware on their computer so that the cybercriminals can access and compromise the computer.
Phishing attacks affect all types of people
Most phishing attacks are carried out via email. Phishing emails contain either a link or an attachment. When the unwitting recipient clicks on the link, they are directed to fake websites where they have to enter their details. If they download the file, malware is installed on their computer.
Phishing can also be carried out over social media, SMS and phone calls.
Common types of phishing attacks often try to target as many people as possible, so they contain universal manipulation strategies and are sent out en masse. These strategies are called social engineering.
The manipulation strategies in phishing are one of the things that distinguish phishing from spam emails. Spam is a form of solicitation aimed at getting as many people as possible to buy a particular product or service.
Spear phishing attacks
Spear phishing, or spear phishing, is a fraudulent phishing method designed as a targeted attempt to steal confidential information or compromise computer devices. It is targeted at specific individuals or specific groups within a company.
Instead of increasing the chance of someone falling for the scam by sending out as many phishing emails as possible, cyber criminals spend a long time producing spear phishing emails so that they are as convincing and trustworthy as possible.
It is a form of fraudulent phishing that is increasingly being targeted at businesses and organisations, as in this form of phishing cyber criminals can tailor the attack to target specific employees.
Phishing targeted at specific groups
Before sending out their spear phishing emails, cyber criminals research their victims and can use publicly available information to find out personal details such as names, addresses, email addresses, family members, friends, recent online purchases, etc. This publicly available information can be found on company websites, Google searches and social media.
The cyber criminals use their research to tailor the spear phishing attack and make the spear phishing emails carefully crafted. They include personal information about the victim and can make the sender look like someone the victim knows, such as their boss, a colleague or a friend.
Often, cyber criminals also use manipulative social engineering strategies in a spear phishing email, as this increases the chances of the attack being successful.
Different types of spear phishing attacks
Whale phishing attacks are sent out to senior employees or managers of a company. Whale phishing is therefore even more targeted than spear phishing, as very few people are targeted.
In CEO fraud, the cybercriminals impersonate the CEO of a company. Unlike spear phishing and whale phishing, in CEO-fraud the cybercriminals use their research to make the sender look like a specific person.
The cybercriminals often use a fake email address to impersonate the CEO's email address. They may also hack the CEO's real email account. Much more research and preparation goes into CEO fraud than into common types of phishing attacks.
Protect yourself against spear phishing
It is important to follow some simple precautions to better protect yourself as an individual or company against spear phishing.
Consider what information you publish online
It is a good idea to be careful about the personal information you post online. Look through your public profiles and consider whether there is information that could be misused by cyber criminals for spear phishing attacks.
Many social media sites have settings that allow only "friends" or connections to see your content. By opting out of allowing everyone on the social media to see your content, you can make it harder for cybercriminals toe to find similar information.
Also, remember to only provide personal information if you are sure you are on a legitimate website. Cyber criminals often create fake phishing websites in the hope that people will enter them thinking they are legitimate.
Always pay attention to your emails
When you receive an email, you should always be aware of the sender and the content of the email.
Is the e-mail from a real e-mail address? Even if the email is supposedly from a trusted source, there will be small errors in the email address if it is a spear phishing email.
Are there any unusual requests in the email? If you suddenly need to provide sensitive information, change your passwords, pay an invoice or transfer money to a "friend" in need, think extra carefully as these are typical subjects of spear phishing.
remember the logic
Use your common sense when reading your emails. A legitimate organization or business would never ask for personal information in an email. And does it make sense that your friend is suddenly short of money or needs your username and password?
If you have any doubts about whether an email is legitimate or not, always contact the sender or go to the company's website through a search engine.
Introduce a data protection programme in your company
To protect your business from spear phishing, you can implement a data protection programme to avoid maximum damage after an attack. Such a program includes both awareness training for employees to identify the exact type of attack and to deter it, and the introduction of internal networks and software programs to protect your company's data.
The programme should also include software applications or other technical solutions that can be deployed after a disruptive data breach. Even if the data has been compromised, it may be possible to recover it.
In addition, the programme can dictate the chain of communication following a spear phishing attempt, including who should be notified immediately.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.