In the past, using strong passwords was enough to keep accounts secure and hackers at bay. This is no longer the case, and cyber security services require a lot more than just a solid password. Hackers are becoming more devious and highly sophisticated with their techniques, especially through email-based cyber attacks like spear phishing.
Spear phishing tactics are being used every day to steal sensitive data and personal information from innocent people. You might consider yourself too smart to fall into a phishing email trap but try not to feel overly confident that you won’t someday fall prey and get “hooked” by a phishing hacker.
We’ve seen a massive 667% increase in phishing attempts due to cybercriminals capitalizing on COVID-19 fears. This means you and your entire team need to be aware of the threat, and hyper-vigilant when opening any emails.
This is one of the most successful hacking methods of our time and the effects of phishing on businesses and individuals can be detrimental.
The good news is that there are ways to stop phishing in its tracks - you just have to know how to protect yourself.
The methods we’ll cover here can help to prevent even the most well-executed spear phishing campaign from resulting in company data theft.
What is Spear Phishing?
You probably have a vague understanding of phishing and whaling attacks, but vague isn’t good enough if you plan on staying protected. Even if you thoroughly understand phishing, spear phishing is a more sophisticated version of the traditional email hacking practice.
Similar to old-school phishing techniques, spear phishers attempt to gain access to usernames and passwords by simply asking for sensitive information. They do this by posing as a source you can normally trust (like your bank, cell phone provider, or personal Amazon account). There is, however, one major difference between traditional phishing and spear phishing.
Norton Security says that spear phishing “takes this trick to the next level, using social engineering...Spear phishing effectively uses all the data that’s on the Internet and social media about you to lull you into an inappropriate sense of comfort before attempting to get your personal details.”
Even as an IT service provider, we receive these emails all the time!
The email pictured above came in just last week, with many employees getting the same message from our CEO. Notice the mismatched <gmail.com> address in the "From" line, the odd personalization, and appearance of being rushed?
Telltale signs of spear phishing!
They're trying to get us to react quickly in fear that we missed something from the CEO. Prying on fear using the names of real people you work for is exactly why phishing works.
Within minutes, our internal IT team was alerted, and this sender was blocked. No breach occurred, and we went back to our normal work with no interruptions. With some personalized training, your business can become this resilient as well!
Phishing Prevalence for Individuals and Businesses
This isn’t the time to have the “it won’t happen to me” mentality. As you can see from the facts and stats below, phishing is extremely prevalent - so yes, it could potentially happen to your email address if you don’t take cybersecurity seriously.
- According to the 2019 Internet Security Threat Report from Symantec, 71.4% of targeted attacks on individuals involve spear phishing emails.
- According to the 2019 Checkpoint Research Security Report, 82% of manufacturers experienced a phishing attack that year.
- Dashlane Blog found that the average cost of phishing attacks on mid-sized companies in 2018 was $1.6 million.
Phishing incidents have been on the rise and that trend will continue. These shocking numbers say it all, but the first step to protect from a data breach and theft is awareness, so you’re already making progress.
Best Methods for Preventing Spear Phishing Attacks
As we mentioned before, awareness is a major aspect of spear phishing prevention, but it’s not the only way to keep your company protected from phishing, ransomware attacks, and other cyber threats.
Here are some of best recommendations!
1. Provide Ongoing Employee Training
Over 90% of IT security incidents start with phishing attacks against employees, so it’s no surprise that the best prevention method is through end-user training.
A phishing hacker is only successful when the victim clicks on a link or downloads a file. Once that happens, the cybercriminal is in and it’s too late. The good news is that the ball is entirely in the user’s court, and there’s no risk of a breach if the link isn’t clicked or the file isn’t downloaded.
Investing in phishing prevention training for your employees is one of the most successful prevention techniques out there. This will not only teach your employees the basics of phishing attacks and what they look like, but also provide guidance as phishing hackers evolve and become even more sophisticated over time.
2. Keep All Systems Current with the Latest Security Patches and Updates
It’s easy to overlook something as common as automatic updates. We all click that “Install Later” button out of habit, but the truth is, we’re leaving our software and systems vulnerable to attack when we do this.
Configure any software you can (including your operating system) to install updates automatically. Make sure to shut down your machine when you’re done for the day so ensure that the updates install properly, and you’re ready to go with a fresh PC in the morning!
3. Require Your Employees to Use Multi-Factor Authentication
Using MFA is one of the simplest and most cost-effective methods of enhancing email security. MFA adds an extra layer of security by requiring an additional “factor” for logins. It most commonly works as a push notification sent to a mobile device with a verification code that is needed for logging in. No extra end-user security software needed.
MFA helps to keep your business protected from ransomware and stop phishers in their tracks. It’s just one method to reduce the risk of a security breach, but it’s one you should never do without.
4. Implement a Security Policy to Address Password Expiration and Complexity
Many organizations already have a password complexity requirement in place due to regulatory compliance, but even without regulations, you should set stringent password requirements, both for expiration and complexity.
When it comes to passwords, people will always try to use the simplest password possible, and when they’re prompted to change, they’ll simply put in the same password with another number at the end. You can prevent this from happening by allowing no repeated passwords. Just make sure your employees don’t start writing down their passwords on sticky notes!
Addressing password expiration is important, because it limits the ability of a cybercriminal to access an account for a long period of time. If passwords are set to expire every 45 days, this will prevent a thief from being able to return to an account with stolen credentials in the future to steal even more data.
5. Deploy Endpoint Detection & Response on Every System
Gone are the days of installing anti-virus software the day you get a computer, never to touch it again. Endpoint Detection & Response (EDR) is the next step in cybersecurity.
EDR lives on each user’s computer, automatically detecting and stopping potential attacks that have slipped by your anti-virus software. EDR detects activity quickly and contains the adversary before they can move laterally through your network.
Using sophisticated AI, EDR monitors and stops complex attacks, like those that may be launched by a spear phishing email, automatically behind the scenes. Isolating the machine when any abnormal activity is detected, EDR can literally save your entire business.
There is no mail filter in the world that will stop spear phishing attacks. The cyber criminals have worked hard to obtain as much information about you as possible. The only way to stop them is to be educated. The steps we’ve listed above will keep your entire organization, and the client data you possess, safe.
If you’re interested in learning more about the tactics being used by cybercriminal during the COVID-19 pandemic, check out our latest guide, “Understanding COVID-19 Phishing Attacks,” below!