Phishing is a continuing problem for many enterprises and organisations. Regardless of how powerful the mail security filters a firm deploys, cleverly crafted phishing messages can still bypass such protective measures and end up in staff inboxes.

Once upon a time phishing messages were seen simply as a nuisance – something that clogged up message systems and wasted company time like spam. Today, they are recognised for the potential threat they carry that can cost companies millions.

Phishing attacks are now the most common attack vector for ransomware assaults. Malicious links may be included in the body copy of messages or malware hidden in seemingly harmless email attachments. If a user clicks on the link or hits download, their computer can become infected. Malware can then spread laterally across a company network, causing chaos and costly breaches.

Most successful malware and ransomware attacks that start with a phishing email do not use standard phishing attacks. Instead, they use spear phishing techniques that exponentially increase their chance of success. Read on to find out more.

Conventional phishing vs spear phishing

Standard phishing attacks use a spam approach. They are designed for quantity, not quality. Hundreds of thousands of phishing messages are launched without specific target users. Standard phishing is like fishing with a net. The offender throws out a widespread trap that reaches as many users as possible and sees who falls for it.

Spear phishing is more like using a line and hook with a lure. It focuses on a specific victim or victims and attempts to make them feel comfortable by appearing as a trusted entity. This may be a colleague, a superior or even an established institution like a bank or government agency.

How spear phishing works

Rather than making a sweeping attack, threat actors who use the spear phishing technique will take their time to research a company and its personnel, or sometimes an individual staff member. They examine all public information available on company websites, social media platforms and databases of online resumes. They may also use stolen data that is freely available or ready to purchase on hacker forums.

They use the data to masquerade as a legitimate individual or authority and contact a user directly via email. When the recipient receives a message from someone they trust, they are more likely to follow any actions requested. For example, if an employee in accounts receives a message which appears to be from the firm’s financial director asking them to send funds, there is a good chance they will carry out the task.

Keeping your staff safe from phishing attacks

Always ensure your employees can recognise a phishing attack. Provide them with regular data protection training:

  • Help them understand the importance of never clicking on links or downloading emails from unverified senders.
  • Include examples of what to look out for.
  • Ensure that they verify requests made via email in person or by phone.

How Galaxkey can help

To help secure your employees and give them a safer environment to work in at home or in the office, test-drive Galaxkey’s secure workspace.