Spear Phishing

Five trends driving targeted attacks:

  • Rise of Social Networking websites - Employees are sharing information about their jobs and colleagues are arming hackers with the ammunition to conduct sophisticated attacks.

  • Ready Markets for hacked information - Hackers steal financial and personally identifiable information (PII) and are able to easily sell this information to others who use it for financial gain.

  • Reduced profitability from SPAM - Due to increased diligence and improved SPAM filters, hackers profits from SPAM have reduced. Therefore, they are gravitating to more targeted, lower volume phishing, spear phishing and social engineering attacks.

  • Mobile Devices and Tablets increasingly used for messaging - With Bring Your Own Device (BYOD) increasingly become the new norm, employees are increasingly using mobile devices and tablets to check messages. The reduced display footprint and lack of endpoint protection on the typical device make these form factors increasingly susceptible to attacks.

  • Low Cost computing - Hackers can get a server, whitelisted IP’s, a domain name and an SSL cert for less than $50. This equipment can be easily used to conduct low volume phishing campaigns.

Targeted phishing attacks share a few common traits:

  • The sender of the message will be known to the recipient of the message.
  • The subject line of the message may be an attempt to induce fear or greed.
  • The contents of the message will be personalized and will attempt to get users to click on a link or open an attachment.
  • The emails are sent to a small set of recipients.

Preventing these attacks requires a multi-layered approach. Organizations regularly deploy one or more of the following solutions that are not completely effective against these attacks:

  • SPAM filters fail to block targeted spear phishing attacks because these emails are difficult to distinguish against legitimate emails.
  • Endpoint protection solutions provide protection against known malware signatures but these solutions aren’t regularly deployed on smartphones and tablets where most messages are checked.
  • Phishing awareness training services are great at increasing employee awareness, however, research shows that employees begin to forget their training within days of receiving it.