It has been years since the first phishing scams were used to snag the unsuspecting victim, yet still, these scams remain common and very effective even though people are more aware of them. Unlike phishing scams that send out emails in the millions (in the hope that someone bites), spear-phishing scams (as the name suggests) is a specialised and targeted scam (with sufficient availability of resources) and much more challenging for an organisation to spot.
The scam entails a substantial amount of in-depth research into the target business, using technology and social engineering. Organisation structure, functioning, employee information and social media are carefully studied by the attackers so that the scam can come across as genuine as possible. Spear-phishing is an expanding threat; many organisations do not even realise the length that attackers will go to get what they want-your data!
Many large breaches, start with a spear-phishing scam via an email. Email is universally used for communication and sharing data within organisations, thus a simple approach for attackers to take. Even with precautionary measures such as anti-spam and antivirus software as well as gateways, organisations are still falling victim. Further steps need to be taken. Data needs to be properly secured so that even if an attacker gains access to it, it is protected and unusable- even in the attacker’s hands.
Up until now, the broad uptake of email security tools has been poor and when implemented often side-stepped due to the inadequate usability of these legacy tools. However, it is vital that all businesses protect their data and should implement a data protection solutions for their emails and files. Not only to keep their valuable data protected but also to comply with stringent privacy regulations and to uphold brand and reputation.
There is no longer an excuse to not protect your data. Encryption technologies have advanced and solutions are available that make securing your communications easy without impacting business efficiency at all. It’s necessary to have the right measures in place otherwise your business will continue to be vulnerable to such attacks and more.
How a spear-phishing scam usually transpires
The attacker’s aim is usually, to steal company information, credentials, deploy malware or steal money.
The scammer sends an email, highly personalised. The email seems to come from a trusted source and the email address used at first glance looks the same as frequently used ones within the organisation. On closer inspection, it can be seen that this is not the case but employees are not likely to pick this up easily.
The scammer’s aim is to entice urgency, often the email will pertain to an urgent matter that requires critical action thus taking priority over everything else.
An employee opening the email sees an email sent from a colleague or a trusted source who they regularly deal with, demanding they take urgent action. This often involves the recipient following a link to a fake website but because they are unsuspecting and nothing has so far appeared out of place the ‘convincing’ site is the next step in the scam.
To the employee, the site looks and feels authentic and they continue to act on the urgent request by either entering company information and or passwords or providing financial details. Alternatively, the email may require you to download an attachment which will place malware on your computer that can log activity allowing the scammer to access your company information.
The scam has only just been initiated, the attacker has his foot in the door and has acquired the information needed to further facilitate his attack which more than likely will culminate in a breach. A breach is detrimental to the organisation and is likely to result in: loss of data, substantial financial implications, legal ramifications and negatively affect the brand and reputation of the organisation.
Be on Guard and take action
Organisations should be on guard; it is no longer a case of if you fall victim but rather a case of when. Know your cybersecurity status and fix all weaknesses you find. This is very important to properly manage the risks.
With continuous change happening in both areas of threat and control the process of understanding and managing your cybersecurity status is no longer something that should happen annually or even quarterly but should be a real-time process that is continuously being evaluated and resolved. It’s fundamental to make sure that current organisational and technical measures are always in place.
An attack is usually successful when a gap is present. This could involve a security gap with regards to the people, technology or process component. It could be that an existing component is insufficient or not working as it should be, leaving your business vulnerable.
Employees are often the weak link and unaware of the workings of the scam. Training is very important. However, technologies to secure data can be used to safeguard your sensitive information and protect your organisation too.
By taking action and implementing protective technologies, if you were to be breached, you will have shown that your organisation was proactive by putting necessary data protection measures in place. Furthermore, secured data is unusable to the attacker and poses a reduced or no risk to employees and customers. Regulators will take this all into consideration and will offer you some leniency.
Precautionary measures your organisation should take
- Know your cybersecurity status, maintain and manage it in real-time.
- Understand the risks that people, technologies and processes pose.
- Consider the level of risk associated with the information you choose to make public and determine if the risk is tolerable to the organisation. Think before you post!
- Educate all employees on such attacks and the importance of data security.
- Make it procedure for employees to secure data-always!
- Utilise encryption, encrypt your communications and make it common practice to send encrypted communications within the organisation and to third parties so that an email out of the ordinary is easily noticed.
- Encrypt your documents and data in transit as well as when in storage.
- Data-centric solutions are advantageous as the data itself is protected and the protection is not dependent on a network or a device. The protection encapsulates the data and follows the data wherever it goes!
- Dispose of documents, data, devices; anything holding information in a secure and appropriate manner to avoid the data getting into the wrong hands and being used fraudulently.
- The layered security approach must allow for the necessary visibility, intuition and control that is required to manage and reduce this risk of attack.
- Use cutting-edge technologies that are sustainable so that you are assured of protection for today as well as the long-term.
Attacks have advanced but so has data protection
Spear-phishing and phishing are usually actioned for financial gain through obtaining trade secrets or highly sensitive information. The attack that follows a successful entry into an organisations environment is usually substantial. Spear-phishing attacks are not random but high-level targeted attacks with a high success rate.
It is essential that organisations aim to convert employees from a threat vector and attack target to a line of defence. Tackling such cyber-attacks is dependent on comprehensive data security. Ensuring the importance of data security is ingrained in the organisation and the message is addressed from the top down, will encourage employees to take it seriously and ensure the necessary procedures are adhered to.
Protecting your data is fundamental to protecting your organisation, employees, customers and clients and with strict data protection regulations (the GDPR) on the horizon this needs to be made a priority and fast.