Spear phishing is the fraudulent practice of sending e-mail, ostensibly from a known or trusted sender, to trick targeted individuals to reveal information, click on malware-infected links or open infected attachments.
According to Wombat Security’s 2016 State of the Phish report, not only are more organisations falling victim to phishing attacks, the number and sophistication level of the attacks they’re experiencing has gone up. Two-thirds of the organisations they studied reported experiencing attacks that were targeted and personalised (spear phishing attacks), this had gone up 22 percent from the year before. (Wombat Security)
Last week we got another indication of how sophisticated phishing attacks have become with Breitbart’s top editor falling for an email prankster who posed as Trump adviser Steve Bannon. The prankster posing as former White House chief strategist Steve Bannon fooled top Breitbart editors into acknowledging that they were running critical articles about White House advisers Jared Kushner and Ivanka Trump. In the emails, Breitbart Editor-in-Chief Alex Marlow pledged that he and several other top editors would do Bannon’s “dirty work” against White House aides. The emails were shared with CNN by the prankster.
In other emails, Marlow suggested he could have Jared Kushner and Ivanka Trump ousted from the White House “by end of year” and shared a personal smear about their private lives. To say that this leak is embarrassing for Marlow would be an understatement and is another indication of how spear phishing can damage a professional image and reputation.
The email prankster, who runs the Twitter account @SINON_REBORN, shared the email exchange on Twitter. The account has repeatedly trolled top Trump officials, tricking top administration staff last month, including ousted communications director Anthony Scaramucci, Russian ambassador nominee John Huntsman, and cybersecurity chief Tom Bossert.
What can I tell staff to help them protect our business against spear-phishing attacks?
Education programmes are really important to ensure that all staff are aware of the risks. Extra vigilance when opening emails is required even when they look as though they come from within the organisation. If you’re not expecting a mail and are suspicious, the first advice is always to delete it or check with the sender. They can always resend if necessary.
How can you protect your company from a spear-phishing attack?
As well as being more difficult for your employees to spot, because of the degree of preparation and personalisation, a spear-phishing attack is also far more likely to sneak in under the radar of your email security tools. This means, like any other security challenge, the solution is going to be a combination of education, policy and technology.
There are some email security tools available on the market which are specifically designed to prevent, or at least minimise, the likelihood of a spear-phishing attack reaching its intended recipient. These use machine learning to respond quickly to changing patterns in email traffic.
Secon Cyber Security can help. As well as being able to offer a free phishing test, in partnership with KnowBe4, we can advise on steps you can implement to minimize the risk. Several of our partners offer anti-phish solutions or solutions designed to identify if you have been compromised. Mimecast offer phishing protection software and can identify impersonation attacks whereas Forcepoint have their Advanced Classification Engine (ACE) and email security suite. We can work with you to understand your risk and implement the best solution for you.
For more information call us on 0845 5678 777 or by filling in the details below.