The global plague of highly targeted “spear phishing” is reaching epidemic proportions with new research claiming that some firms are even resorting to launching fake attacks against their own employees to test network security levels.
Spear phishing is defined as a spam technique used by cyber-criminals to gain access to secure corporate networks and steal sensitive data. Unlike traditional phishing attacks in which millions of emails are sent indiscriminately, spear phishing attacks are extremely targeted and focus on one end user or organisation at a time. Spear phishing emails are designed to appear as if they are sent from a trusted individual or particular department within one’s organisation, and typically ask for login IDs and passwords.
Spear phishing is much more time intensive for cyber-criminals, and requires that the perpetrator study the target company and gather information on key department personnel. Information is typically gathered through public databases, articles/postings on company web sites, telephone inquiries, and hacking, according to a recently published study conducted by IT security firm Greenview Data.
“After a network has been compromised by a spear phishing attack, the attacker installs malicious software that gathers and extracts sensitive private and corporate data, often sold to third parties or used for identity theft or extortion. Attacks, if publicised, can severely damage an organisation’s reputation and degrade customer trust,” the study warned.
The report added that this sharp rise in spear phishing attacks has forced IT Security professionals to adapt with new security strategies and protocols. Network administrators are once again faced with the challenge of constantly reinforcing network protocols within their organisation. It goes on to note that some organisations are even going so far as to launch faux spear phishing attacks on their employees in order to evaluate reactions; offending employees are then coached in handling live spear phishing attacks.
“With spear phishing attacks growing in number, employees receiving seemingly legitimate email requesting sensitive data should validate the request with the sender,” said Ted Green, CEO of SpamStopsHere, which is a division of Greenview Data.
“More often than not, a potential corporate tragedy can be avoided by simply picking up the phone. Employee education is the most effective weapon in thwarting spear phishing attacks.”