“Dear friend, I am a displaced Nigerian prince desperately in need of your help…”
By now, we’ve all become fairly savvy at detecting the average phishing scam. If foreign royalty is asking you to send money, or some other stranger cold-emails urging you to invest in a “too good to be true” proposition, you know enough to click spam!
And because we’re getting savvier as users, phishing scam artists are also getting more sophisticated.
Imagine this scenario:
Barbara on your accounting team gets an email from your CFO, who says he’s doing some analysis and needs the W2s of a handful of employees. Barbara replies, attaching the W2s – which contain the personally identifiable information (PII) of each of those employees, including their legal names, addresses, social security numbers, birthdates and more.
Or this one:
Your CEO emails your receptionist and says he wants to give employees a “thank you” gift for Thanksgiving this year. He asks her to stop at Walmart on her lunch break and pick up a bunch of gift cards, then reply to his email with the gift card serial numbers.
These seem like trustworthy situations – but they’re not. In both cases, the employee has been the victim of a spear phishing scam, and the email was not from a boss but from an outside cybercriminal masquerading as an insider by manipulating email sender information.
Spear phishing is just what it sounds like: a highly targeted phishing scam that goes after specific people in your organization. It’s not just a blanket email sent out to a lot of people, hoping someone gullible enough will bite. It’s a very scenario-specific request that’s highly believable, and it’s also designed to prey on emotion. After all, if your boss’s boss wants something from you, and sounds like he’s slightly annoyed and in a hurry about it, you’re likely to respond. And that’s why it’s so dangerous.
The two stories we told above are both true. In the first case, the accounting department employee ended up sending employee W2s full of PII to a criminal outside the organization, putting them all at direct risk for identity theft. In the second story, the receptionist was responsible for a $5000 loss when the scammer made off with the gift card serial numbers and went on a shopping spree.
While both of these situations are serious, it’s important to remember that we’re not just talking about a $5,000 loss here. When an employee falls for a spear-phishing email scam, he opens up your company to massive liability and puts you at risk of being sued. In fact, the average financial cost of a successful spear phishing attack is $1.6 million – and the financial burden and frequency of these attacks are only expected to go up.
A one-stop resource with everything you need to keep your business safe and secure – now and in the future.
Learn the cybersecurity essentials today.
Educating your users is the first and most important step for spear-phishing attack prevention – and that means everyone from your CEO to your interns. Companywide end-user training should alert everyone to the existence and dangers of spear phishing.
But there will always be mistakes, so it’s equally important to take steps to take spear phishing out of the domain of employee decision-making.
For example:
This email originated from a sender outside of your organization.Please use caution when opening attachments or replying with sensitive information.
A cybercriminal might try to spoof a legitimate email address like johndoe@lazorpoint.com by instead sending emails using the display name johndoe@lazerpoint.com. At a quick glance, it looks like the email is from the right person, but the second email address is actually a fake account from outside the organization. Email banners flag this, so the recipient isn’t solely responsible for noticing the subtle difference.
Set email server rules to reject any email that uses display names of C-Level executives or other key decision makers – but actually comes from outside your organization. For example, if your CEO’s company email address is johndoe@lazorpoint.com, the email server would reject any emails with the display name John Doe {johndoe@lazorpoint.com}but actually coming from another email address.
To get access to the mailbox of a target inside your organization, a cybercriminal might set a rule to automatically reroute emails to that target to their own email address. Even if you identify that an account has been compromised and change the password, the criminal still has access to the emails – and any sensitive or proprietary information they contain.
You can prevent this by disabling automatic email forwarding to email accounts outside of the organization, system-wide. Additionally, disabling automatic email forwarding will act as an early warning system if your account has been compromised because your mailbox will flood with rejected messages that the cybercriminal has tried to send out.
Multi-factor authentication makes it much more difficult for a cybercriminal to access an account because one password is never enough to gain access. There are two types of multi-factor authentication that you can use to secure your accounts:
A password manager such as LastPass enables users to set complex, unique passwords for each account without having to keep track of countless numbers, digits and special characters. Password managers, or password vaults, add several layers of protection, while users only have to remember the password to the vault.
Password managers don’t help with spear-phishing email attacks directly, but they do help indirectly: If a cybercriminal is successful in getting a user to hand over one password, he won’t automatically have access to the rest. It’s an important safeguard that ensures you have deeper protection.
Lastly, put policies in place to make it harder for employees to put the company at risk. For instance, in the story about the Walmart gift cards, this situation could have been remedied by a simple policy requiring a signature from the CEO on any purchase over $500. Another smart policy might require users to get in-person or over-the-phone confirmation on such a request.
Or, in the story about emailed W2s, a preventative measure might be to prohibit employees from sending attachments over email. Instead, insist they use a company intranet or a secure, approved company content vault.
The best defense against spear phishing is end-user awareness and technology planning. It’s impossible to immunize yourself completely from cybercrime, but you can certainly be highly proactive.
Interested in learning more about securing your organization from cyber threats? Check out our cybersecurity blog.