Phishing attacks are not specific to those businesses who do not think they need internet security. Computer giants such as Google and Microsoft have fallen victim to the effects of spear phishing too. Spear phishing, as the name suggests, is an attack which targets a specific individual with a multitude of ‘in-context’ ‘baits’ such as pop-ups, fake websites or requests to download untrustworthy, but seemingly relevant, information. It is normally an email or electronic communication, often intended to steal data for malicious purposes or install malware on the user’s computer.
It is reported that phishing attacks actually decreased 16% from 2016 to 2017 but 76% of organisations still reported suffering this type of attack. This data shows that although people may be getting wise to the hacker’s tactics, these attacks still pose a great risk to organisations, so here are some methods to effectively deal with spear phishing attacks.
The idea of a phishing attack plays on the users nature of either fear, greed, obedience or helpfulness; asking them to ‘quickly’ complete a form before the deadline expires, or posing as a legitimate site saying they have ‘won’ a prize. Educating staff on the simplicity of these attacks could save your company money. Explaining the dangers of quickly clicking on something before really looking into the likelihood of the legitimacy of the data.
Also, check for cross site scripting (XSS) vulnerabilities in the network, as phishers often target unvalidated forms and URL query strings to take users to their attack sites. Being vigilant with investigating the URL you are potentially being taken to, is essential in preventing the phishers from gaining access to important data.
Social media is one of the most targeted phishing areas, and with the ease of producing ‘fake news,’ hackers are able to back up the information they are creating, making it more likely for people to believe that the link they are being asked to click on is in fact, real.
Advice from the National Cyber Security Centre states, ‘before investing in defences, many organisations often want concrete evidence that they are, or will be targeted, by specific threats. Every organisation is a potential victim. All organisations have something of value that is worth something to others. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber-attack.’
Using a HTTP referrer header – allowing analysis as to where visitors to their site are coming from, individuals can see where requests originated, by checking the referrer information.
Whitelisting and execution control – preventing unknown software from being able to run or install itself, including AutoRun on USB and CD drives.
Malware protection – establish and maintain malware defences to detect and respond to a known attack code.
Security monitoring and security incident management to identify known attack vectors.
Having a trusted IT consultant which can implement security procedures and ensure data and IP, IT infrastructure, networks and systems are secure.
With the GDPR and the threat of financial remediation a focal point for most businesses, it is important now more than ever to know how to effectively deal with a spear phishing attack. Knowledge is power. Understanding the hackers methods and being in a position to intercept them before they get access to yours and your client’s personal data, is vital in protecting both information and reputation.