SPEAR PHISHERS: WHAT ARE THEY AND HOW CAN YOU PROTECT YOURSELF FROM THEM?
Hackers are always looking to infiltrate computer systems, with the objectives of stealing money or information, or disrupting companies, government agencies, public services, etc. One way that hackers gain access is by acquiring usernames, passwords and credit card details by sending vast numbers of emails, in which they masquerade as a trustworthy entity. This kind of scam is called phishing.
Spear phishing is specialized cyber-attack in which email messages target specific individuals. The hackers often gather personal information about their target before initiating the attack, hoping that the personal information will increase their chance of success. If the recipient clicks on a link or image thought to be trustworthy, the email can upload malicious attachments and access sensitive information. Today, more hackers are gathering personal information through social networking sites, such as Facebook, Twitter and LinkedIn.
Internet security programs can often screen out generic phishing scams, but because of the personal nature of the emails, spear phishing often requires a human eye and some critical thinking skills to tell the difference between a real and a bogus email. Hackers have become adept at creating websites and landing pages that look legitimate.
Furthermore, the Department of Homeland Security reported in late June that 198 incidents of cyber-attacks were reported to DHS in 2011, compared to 9 in 2009. Of these attacks, spear phishing has been the most common technique.
“Hackers are growing ever more sophisticated, and Internet security companies often have to learn how to defend against them after the damage has been done,” says Sunstates President Glenn Burrell says. “In the case of spear phishing, cyber-criminals are posing as trusted senders from government agencies, and the email addresses can look legitimate.”
Burrell recommends the following steps to defend against these threats.
- Because spear phishers often use social media, companies should define social networking for employees, rather than assume that they know. Also, because the online trends change so quickly, it’s impossible to predict the next rising star of social networking. If a firm restricts access to certain web sites, policies must stay consistent and extend to sites of similar description.
- Password awareness is key to maintaining security. Passwords should be difficult to crack, and should be changed relatively often, perhaps monthly.
- Employees may not know not to reveal confidential information such as Social Security numbers, client information, or passwords in emails. Educate them in what is not permissible to send through email. A legitimate email will never ask for certain things.
- If the veracity of an email is in doubt, employees should call the sender and verify.
- Employees should be very suspicious when they receive work-related emails at a personal account, such as Gmail or Hotmail.
- Email software should enable image-blocking. Often, malware is image-based, and if images are blocked, the malware cannot function. If using a cell phone to check email, disable images in the phone’s email client if you can’t avoid opening suspicious emails.
- Organizations need to develop formal policies and revisit them periodically. Websites evolve, technology changes, and policies must evolve with them. Employee education on cyber-security policies is critical.
Sunstates Security can help you develop or evaluate your organization’s cyber-security measures and minimize your vulnerability to attack. Contact us today to find out how.
Department of Homeland Security – www.dhs.gov