Business + IT Insights

6 Ways to Protect Your Leadership Team from Spear Phishing Email Attacks

Posted by Dave Lazor on Wed, Dec 12, 2018


laptop cybersecurity“Dear friend,
I am a displaced Nigerian prince desperately in need of your help…”

By now, we’ve all become fairly savvy at detecting the average phishing scam. If foreign royalty is asking you to send money, or some other stranger cold-emails urging you to invest in a “too good to be true” proposition, you know enough to click spam!

And because we’re getting savvier as users, phishing scam artists are also getting more sophisticated.

Imagine this scenario:

Barbara on your accounting team gets an email from your CFO, who says he’s doing some analysis and needs the W2s of a handful of employees. Barbara replies, attaching the W2s – which contain the personally identifiable information (PII) of each of those employees, including their legal names, addresses, social security numbers, birthdates and more.

Or this one:

Your CEO emails your receptionist and says he wants to give employees a “thank you” gift for Thanksgiving this year. He asks her to stop at Walmart on her lunch break and pick up a bunch of gift cards, then reply to his email with the gift card serial numbers.

These seem like trustworthy situations – but they’re not. In both cases, the employee has been the victim of a spear phishing scam, and the email was not from a boss but from an outside cybercriminal masquerading as an insider by manipulating email sender information.

The Evolution of Cybercrime

Spear phishing is just what it sounds like: a highly targeted phishing scam that goes after specific people in your organization. It’s not just a blanket email sent out to a lot of people, hoping someone gullible enough will bite. It’s a very scenario-specific request that’s highly believable, and it’s also designed to prey on emotion. After all, if your boss’s boss wants something from you, and sounds like he’s slightly annoyed and in a hurry about it, you’re likely to respond. And that’s why it’s so dangerous.

The two stories we told above are both true. In the first case, the accounting department employee ended up sending employee W2s full of PII to a criminal outside the organization, putting them all at direct risk for identity theft. In the second story, the receptionist was responsible for a $5000 loss when the scammer made off with the gift card serial numbers and went on a shopping spree.

While both of these situations are serious, it’s important to remember that we’re not just talking about a $5,000 loss here. When an employee falls for a spear-phishing email scam, he opens up your company to massive liability and puts you at risk of being sued. In fact, the average financial cost of a successful spear phishing attack is $1.6 million – and the financial burden and frequency of these attacks are only expected to go up.

Spear-Phishing Attack Prevention

Educating your users is the first and most important step for spear-phishing attack prevention – and that means everyone from your CEO to your interns. Companywide end-user training should alert everyone to the existence and dangers of spear phishing.

But there will always be mistakes, so it’s equally important to take steps to take spear phishing out of the domain of employee decision-making.

1. Enable email banners for your company that highlight when an email originates from outside the company

For example:

 


This email originated from a sender outside of your organization.Please use caution when opening attachments or replying with sensitive information.


 

A cybercriminal might try to spoof a legitimate email address like johndoe@lazorpoint.com by instead sending emails using the display name johndoe@lazerpoint.com. At a quick glance, it looks like the email is from the right person, but the second email address is actually a fake account from outside the organization. Email banners flag this, so the recipient isn’t solely responsible for noticing the subtle difference.

2. Set up display name spoofing protection

or other key decision makers – but actually comes from outside your organization. For example, if your CEO’s company email address is johndoe@lazorpoint.com, the email server would reject any emails with the display name John Doe {johndoe@lazorpoint.com}but actually coming from another email address.

3. Disable automatic email forwarding for the organization

To get access to the mailbox of a target inside your organization, a cybercriminal might set a rule to automatically reroute emails to that target to their own email address. Even if you identify that an account has been compromised and change the password, the criminal still has access to the emails – and any sensitive or proprietary information they contain.

You can prevent this by disabling automatic email forwarding to email accounts outside of the organization, system-wide. Additionally, disabling automatic email forwarding will act as an early warning system if your account has been compromised because your mailbox will flood with rejected messages that the cybercriminal has tried to send out.

4. Authorize multi-factor authentication

Multi-factor authentication makes it much more difficult for a cybercriminal to access an account because one password is never enough to gain access. There are two types of multi-factor authentication that you can use to secure your accounts:

  • SMS authentication – To log into the account, users must use a password and, in addition, a text verification.
  • Token-based authentication – An application on two paired devices, such as your computer and your phone, is required to log into your account. Both devices must be present to log in.

5. Use a password manager

A password manager such as LastPass enables users to set complex, unique passwords for each account without having to keep track of countless numbers, digits and special characters. Password managers, or password vaults, add several layers of protection, while users only have to remember the password to the vault.

Password managers don’t help with spear-phishing email attacks directly, but they do help indirectly: If a cybercriminal is successful in getting a user to hand over one password, he won’t automatically have access to the rest. It’s an important safeguard that ensures you have deeper protection.

6. Change company policies

Lastly, put policies in place to make it harder for employees to put the company at risk. For instance, in the story about the Walmart gift cards, this situation could have been remedied by a simple policy requiring a signature from the CEO on any purchase over $500. Another smart policy might require users to get in-person or over-the-phone confirmation on such a request.

Or, in the story about emailed W2s, a preventative measure might be to prohibit employees from sending attachments over email. Instead, insist they use a company intranet or a secure, approved company content vault.

The best defense against spear phishing is end-user awareness and technology planning. It’s impossible to immunize yourself completely from cybercrime, but you can certainly be highly proactive.

Interested in learning more about securing your organization from cyber threats? Check out our cybersecurity blog.

Tags: IT Security

Subscribe by Email

What percentage of your employees are prone to phishing attacks? It might be higher than you think. Find out today.
New Call-to-action
You deserve more. One meeting with Lazorpoint and you'll understand how we turn your standard IT into a business advancement engine.