Defending Your Business Against Spearphishing Attacks

Spearphishing is the latest and sneakiest way that hackers are attacking businesses of all shapes and sizes over the Internet. Having a solid spearphishing defense is no longer optional for any organisation that wants to avoid having its data compromised.

The technique is an outgrowth of an older method known as a phishing attack. In a phishing attack, hackers send out thousands and thousands of emails to random recipients, masquerading as common banks or credit card companies, passing themselves off as a customer service message in an attempt to get recipients to either click on a link leading to a compromised server, or to reply with sensitive account details that could be used to break in.

Phishing attacks were inefficient since most recipients would probably not even be customers of the company used as the lure. They also suffered from the need to be generic in nature; they wouldn’t be able to address the recipient by name, and they wouldn’t attempt to specify a particular type of service offered by the company.

Spearphishing improves on the basic phishing attack by selecting the target in advance and performing some elementary research in an effort to make the attack message more plausible. For instance, the hackers might look at your company directory to find your CFO’s name and email address before sending a message regarding bank transfers, and they might use other methods to identify that bank ahead of time to use a familiar name. Some spearphishing attackers have gone to the trouble of registering one-off domain names that appear, at first glance, to belong to legitimate companies: capita1one.com, for instance.

Spearphishing attacks often work as cascading attacks, too – a compromise inside one company allows attackers to use completely legitimate email addresses that they now control in order to generate fake messages to business partners. Only by tone and the nature of unusual requests can they be identified by many recipients.

The key necessity to inoculating your business against these attacks is to ensure that your staff is aware that they exist. Many victims have reported being surprised at unusual requests, but it simply didn’t occur to them that the messages were fakes. Knowing that it is a possibility will allow your staff to become suspicious instead of falling back on customer service habits that encourage even strange requests to be fulfilled.

One ingenious method of doing this is by using a service, such as PhishMe, or MediaPro’s Phishing Simulator, to send test phishing messages to your staff. These faked fake messages report back to your IT team when one of your staff takes the bait; that person can then be counselled about better email security practices, and will likely view similar attempts more suspiciously in the future. Some of these services allow users to report suspicious emails with a single click, turning the process into something of a game while also allowing rapid reports when real attacks occur.

Intelligent scanners are also getting better at spotting phishing emails. Firewall email scanners are a good idea anyway to intercept viruses and other noxious payloads before they get to the inbox, but some scanners also incorporate algorithms that can flag suspected spearphishing messages, too.

Depriving hackers of the information they need to craft a legitimate-looking attack message is another technique that has multiple benefits. Although publishing contact information has become a customer service practice, it is also allowing hackers a look inside your company without lifting a finger. Today that information is used for spearphishing; tomorrow, it’s likely to lead to other bad news.

Although removing contact information completely is untenable for many organisations, obfuscating it is not. Make a practice of using generic addresses for external listings, such as “cfo@yourcompany.com” instead of listing your employee names in plain view.

Hackers are always up to something new, but you can head them off at the pass with many attempts at spearphishing simply by making your employees aware of it and adopting some basic information security practices within your organisation.