4 Ways to Eliminate the Big Spearphishing Threat to Your Business
Most business owners are aware that the Internet is a dangerous place these days, but few of them understand where the biggest threats are coming from, or how to defend against them. Media reports, for example, announced during the 2016 presidential election that the Democratic National Committee (DNC) had been hacked and had emails stolen by the Russians, but most news sources didn’t report how that happened.
The way the DNC was breached was through spearphishing. Unlike purely technical attacks, which can be defeated by upgrading network technology and installing defenses such as firewalls and virus scanners, spearphishing attacks can be run against any target that uses email. These days, that is every business.
This relatively new tactic is an outgrowth of phishing attacks, which are broad-based email spamming efforts designed to dupe unsuspecting recipients into revealing important credit card information or sending money to hackers masquerading as bank agents or other officials. The famous Nigerian 419 scams were a good example of these attacks.
Spearphishing involves a more involved level of deception. Attacks are commonly launched from email accounts that are built on custom domains, which may differ from a legitimate domain by only a letter or two. Attackers make great efforts to appear as though they are sending legitimate business messages from companies which have already established a business relationship with the recipient.
A 2011 attack against an established network security firm, for example, came as a message targeted to a small group of human resources professionals with the subject “2011 Recruitment Plan.” The text of the message claimed the attached spreadsheet was part of an existing recruiting campaign, but in fact it was a Flash-based exploit designed to take over their computer from the inside and expose the entire network to the hackers.
Users are inoculated against 419 scams because everyone has heard about the fake Nigerian prince claiming to want to share his wealth. But spearphishing is designed to present a unique and believable message each time, making it more difficult for potential recipients to keep their guard up.
Train Your Staff
Although it’s difficult for employees to keep their guard up, it’s not impossible. Thanks to an innovative online subscription service called PhishMe.com, it can even become automatic.
PhishMe.com does exactly what it says: it phishes your organization, at a level commensurate with the plan you select, deliberately crafting spearphishing messages and sending them to your employees. A button allows employees to report messages they think are phishing attacks, making a game of it. If they fall for the attack, PhishMe gently reminds them and their supervisor to be more cautious!
The system has the added benefit of providing a clear reporting system for employees to alert IT staff to any spearphishing attack, not just those originating from PhishMe.
Sandbox Your Email
Even if credulous employees still fall for spearphishing attacks, there is no reason your email systems have to be gullible. Sandboxing quarantines links that are included in emails, preventing users from clicking through to suspicious destination sites even if they fall for the scam.
Since virus scanning is increasingly effective against malicious payloads that are directly attached to messages, links are increasingly becoming the attack vector of choice. Sandboxing will protect your staff and your network from those exploits.
Scan Your Email
Of course, if you are not virus-checking inbound email, sandboxing may not help. A comprehensive anti-virus system that both scans and isolates suspicious email attachments before they ever reach a user’s inbox, and that also scans attachments at the desktop level, is a good, layered defense that can protect your company against both spearphishing attacks and many run-of-the-mill cyberthreats.
Keep Your Organizational Chart Secret
Spearphishers often rely on getting their messages directly into the hands of particular types of employees, as with the attack against HR professionals noted above. This allows them to select credulous staff with broad levels of access and to couch their messages in a format and with language designed to assuage the suspicions of that group.
If you do not make your internal organization chart public, you vastly complicate the efforts of hackers to identify likely spearphishing targets. Through these four simple steps, you can all but eliminate the major spearphishing threats to your business.