Phishing attacks are not specific to those businesses that do not think they need internet security. Computer giants such as Google and Microsoft have fallen victim to the effects of spear phishing too. Spear phishing, as the name suggests, is an attack that targets a specific individual with a multitude of ‘in-context’ ‘baits’ such as pop-ups, fake websites or requests to download untrustworthy, but seemingly relevant, information. It is normally an email or electronic communication, often intended to steal data for malicious purposes or install malware on the user’s computer.
It is reported that phishing attacks actually decreased 16% from 2016 to 2017 but 76% of organisations still reported suffering this type of attack. This data shows that although people may be getting wise to the hacker’s tactics, these attacks still pose a great risk to organisations, so here are some methods to effectively deal with spear phishing attacks.
The idea of a phishing attack plays on the user’s nature of either fear, greed, obedience or helpfulness; asking them to ‘quickly’ complete a form before the deadline expires, or posing as a legitimate site saying they have ‘won’ a prize.
Educating staff on the simplicity of these attacks could save your company money. For example, explaining the dangers of quickly clicking on something before really looking into the likelihood of the legitimacy of the data could save you from a breach. Virgin Media has a handy cyber security quiz you can share with your teams to boost their cyber awareness and outline what they should do in the event of an attack.
Also, check for cross-site scripting (XSS) vulnerabilities in the network, as phishers often target unvalidated forms and URL query strings to take users to their attack sites. Being vigilant in investigating the URL you are potentially being taken to is essential to preventing the phishers from gaining access to important data.
Social media is one of the most targeted phishing areas, and with the ease of producing ‘fake news’, hackers are able to back up the information they are creating, making it more likely for people to believe that the link they are being asked to click on is in fact, real.
Advice from the National Cyber Security Centre states: ‘before investing in defences, many organisations often want concrete evidence that they are or will be targeted by specific threats. Every organisation is a potential victim. All organisations have something of value that is worth something to others. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber attack’.
There are a few measures you can introduce to boost your protection level…
HTTP referrer header — allowing analysis as to where visitors to their site are coming from, individuals can see where requests originated, by checking the referrer information.
Whitelisting and execution control — preventing unknown software from being able to run or install itself, including AutoRun on USB and CD drives.
Malware protection — establishing and maintaining malware defences to detect and respond to a known attack code.
Security monitoring — implementing an incident management framework to identify known attack vectors.
Having a trusted IT consultant that can implement security procedures and ensure data and IP, IT infrastructure, networks and systems are secure.
With the GDPR and the threat of financial remediation a focal point for most businesses, it is important now more than ever to know how to effectively deal with a spear phishing attack. Knowledge is power. Understanding the hacker’s methods and being in a position to intercept them before they get access to your and your client’s personal data, is vital in protecting both information and reputation.