Phishing is a way that cyber criminals attempt to get personal information by making emails, text messages, and other communications look very similar to a legitimate website (such as PayPal or bank log-in pages, or retail store accounts). The user logs in and reveals credit card numbers, home addresses, and other information.
Spear phishing is far more malicious. Think of phishing as being close to actual fishing: the cyber criminal casts a wide net and just wants to latch on to whoever takes the bait. A large amount of people get the spoof message and the phisher hopes someone will carelessly download the malware within. Spear phishing on the other hand could use similar tactics although it is very targeted: it’s Ahab going after the white whale, not just any whale in the ocean.
Spear phishing attempts are targeted attacks that utilize a team member’s personal information, such as an employee using their real name with a social media profile. Social profiles, reviews on sites like Amazon, and so on are examined and the phisher tries to get the victim to give up personal information by pretending to be a co-worker, customer, or vendor.
The message will sound urgent, such as a supplier won’t ship an order until the victim updates their financial details or other sensitive information, and then the link within the email will go to a spoof page designed to steal that information.
Other spear phishing attempts will try to get the victim to download malware or suspicious attachments (like claiming to be a client asking a one of your team members to check out an Excel sheet).
How Can Spear Phishing Be Dealt With?
A social media post describing something the company just purchased, like a snazzy new perk for the employee lounge or a catered office party, could be all it takes to get a cyber criminal interested. Spear phishers will pretend to be a supplier or payment processor, aiming to take advantage of busy managers who don’t want events and operations to halt as a result of incomplete payment.
An urgent message from a bank or vendor could sound legitimate. To make sure it is, avoid clicking links in emails even if your email software says the domain is verified (cyber criminals are always one step ahead in this department). Manually go to the website and check on your account, or call the vendor or customer to confirm it’s an actual issue and not a phishing attempt.
Have your team update your passwords every so often and use randomly-generated passwords that can’t be easily cracked. Passwords can be easily guessed based on things like birth dates, interests, and other personal information, and “pet passwords” they use on multiple sites facilitate phishing.
Are you concerned that your organization is at risk for spear phishing? Book a call with one of our experts today to learn more about staying on top of your email security!