What is Spearphishing and how you can fight back
From major incidents of corporate espionage to the Russian hacking of Democratic National Committee emails, spearphishing has become one of the most effective of all hacking techniques. Spearphishing is different from traditional phishing attacks; it’s personal, and careful targeting makes it far more dangerous.
One of the things that makes spearphishing attacks so dangerous is the fact that the messages appear to be legitimate. Typically, a spearphishing email may look like a request from a known supplier or a trusted colleague. It is only after reading the details that suspicions begin to arise.
It is important for IT managers and security personnel to talk about the dangers of spearphishing, and that even an email that looks legitimate could be dangerous. Requests for personal or corporate information, for instance, should always raise red flags, since that data could be proprietary and protected.
Employees who receive these emails can protect themselves, and the companies they work for, by verifying the request over the phone before divulging any of the requested information. If they receive a request for specific information from a supplier, for instance, they should not respond to the email. Instead, they should call the supplier in question, using the phone number they already have, not the one embedded in the suspicious email.
The care with which hackers choose their victims is another thing that sets spearphishing apart from other attacks. Spearphishers may target the key decision makers at a company, like the CEO in the corner office or the head of supply chain management. Since the targeted individuals have power and influence, a successful spearphishing attack can have enormous, and long-lasting, implications.
Another danger is that these high-powered spearphishing targets may not be the most technologically sophisticated. Members of upper management tend to be older, and most grew up without smartphones and a constant online presence.
That means IT managers and security personnel should spend extra time and give special care to training the management team, including the key staff members most likely to be targets of a spearphishing attack. There is often pushback against these training efforts, but it is essential for the IT team to stay persistent and vigilant.
A lack of clear-cut rules on what employees can and cannot share outside the company feeds into the spearphishing playbook. Therefore, it is crucial for companies to put specific guidelines in place, which will blunt the impact of spearphishing and make attempts less likely to succeed.
While employees may vaguely know that sharing confidential or proprietary information is forbidden, they are often unclear on what constitutes such data. By setting clear guidelines and establishing penalties for breaking them, businesses can protect themselves from spearphishing, corporate espionage and a host of other modern dangers.
Spearphishing attacks are not going away any time soon. In fact, these attempts to procure personal information and proprietary corporate data seem to be ramping up. If you do not want your company to become the next headline, now is the time to train your employees. If you’re going to protect yourself, you need to understand how spearphishing works, how dangerous it is and what you can do to combat it.