Phishing attacks have ramped up since the start of the pandemic with the majority of workforces transitioned to a remote setting.
Spear phishing has particularly seen an increase and can be even more harmful due to its targeted approach. Hackers target and personalize messages to a specific individual, group, or organization in a spear phishing situation, whereas regular phishing emails use a broad-strokes approach that involves sending bulk emails to massive lists of unsuspecting contacts.
Spear phishing messages are more difficult for the average user to detect and are more dangerous for sensitive data to be stolen.
Main Differences
Regular phishing messages are often quickly crafted—often with bad grammar—and don’t usually include personal information about the recipient. These messages can still lead to individuals clicking on the email attachments or links, or not verifying a sender’s address before replying.
In spear phishing messages, the content is positioned as coming from someone the recipient knows or trusts—such as a bank or reputable company like Amazon—and the use of an urgent tone is much harder to resist not taking action. The messages often include links to fake websites or attachments infected with malware, ransomware, or spyware to entice the reader to respond with confidential personal information. In some cases, the message have no attachments or malicious links but contain instructions for the recipient to follow, making them even more challenging to spot with email security filters.
Cyber criminals also attack businesses in this fashion, targeting employees with legitimate looking email from their manager or a company executive, directing them to transfer money, reveal a password, or provide confidential company information.
Security awareness training and phishing simulations are essential to teach and reinforce key concepts related to detecting and avoiding phishing threats.
Spear Phishing’s Growing Threat
Spear phishing has become a tool of choice for cyber criminals worldwide.
In 2019, before the extra challenges brought about by the COVID-19 pandemic, 65% of attack groups were already using spear phishing as their primary infection vector. On the receiving end, a whopping 95% of all enterprise network breaches were the result of successful spear phishing. The Terranova Security 2020 Gone Phishing Tournament indicated nearly 20% of employees are quick to click on phishing email links.
Protecting Your Organization
While the danger of spear phishing is real and complex, there are several ways organizations can easily limit their risk.
1. Educate, Educate, Educate
Avoiding the negative impacts of a successful phishing attack starts with effective education. Teach employees about spear phishing, and take advantage of free phishing simulation tools to help them consistently identify threats.
2. Use Proven Security Awareness Training Programs
Go beyond freely available tools and use proven security awareness training and phishing simulation solutions to keep spear phishing and related threats top-of-mind across the workplace. Ensuring your training is accessible to all users and can be consumed in various formats is also key. Long, boring training videos don’t have to be your only option.
3. Monitor and Measure Results
Empower and remind security leaders and your organization’s program ambassadors to monitor employee spear phishing awareness with phishing simulation tools. Make sure your programs are supporting long-term cybersecurity goals, and adjust where necessary.
4. Spread the Right Word
Launch an organizational awareness campaign that provides ongoing communication about cybersecurity, spear phishing, and social engineering. This includes establishing strong password policies and reminding employees about the risks that can come in the format of attachments, emails, and URLs.
5. Limit Access to Sensitive Information
In today’s bring-your-own-device era, it’s essential to establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.
6. Keep Software Updated and Current
Ensure all applications, internal software, network tools, and operating systems are up-to-date and secure. Install malware protection and anti-spam software.
7. Create a Security-Centric Culture
Incorporate policies and procedures, best practices, executive security awareness, change management, and support into your corporate culture.
While there are fundamental differences between spear phishing and regular phishing, the solution to both shares some common elements.
Security awareness training programs give employees the knowledge and skills they need to protect personal and organizational data, particularly as cyberthreats become more and more complex. Phishing simulations are also a vital component of any successful security awareness initiative and allow users to safely navigate scenarios they may encounter in the real world.
It’s important to identify the right type of training program for your unique cybersecurity needs and goals.
Theo Zafirakos is the Chief Information Security Officer at Terranova Security. He is responsible for all areas of information security for the creation and management of strategy, programs, governance, information risk assessments, and compliance for Terranova Security, a global leader in Cybersecurity Awareness, with 10M+ Trained Cyber Heroes in 200+ Countries and 40+ Languages. He leads Terranova Security’s Professional Services team that helps clients implement and execute information security awareness programs with measurable results.