What Is Spear Phishing and How Can a Company Prevent It?

February 13, 2020 at 9:46 AM / by Juan Fernandez - VP of Managed IT Services

Think your company is entirely impervious to phishing? Think again. Network security may have evolved, but so have the criminals it’s trying to stop. In 2019, phishing took on a new and more sinister tone. It’s called spear phishing, and companies need to be on the lookout for it.

Phishing involves sending counterfeit emails disguised as legitimate communications from organizations like banks or business services. Carefully crafted to look like the real deal, they attempt to trick employees and private citizens into handing over login credentials. Phishers hedge their bets on the fact that people are expecting these communications and won’t look too closely at the actual email.

They work. Cisco estimates that 85 percent of all email was spam, much of it phishing. As most companies rely on emails to communicate, phishing represents a serious concern. Read on to learn about phishing’s more specialized cousin, spear phishing, and how to protect against this latest redesign of one of the oldest cyberattack strategies in the book.

Spear-Phishing: A New Take on an Old Trick

According to Cisco, spear-phishing is a specialized form of phishing. Rather than sending blanket phishing emails to a list of targets, spear phishing is explicitly tailored to the recipient.

The cybercriminal conducting the spear-phishing will spend time researching both the company itself and the individuals who are most susceptible to an attempt. Exactly who that person is may vary, but nobody is particularly safe or more at risk. Cisco discovered that CEOs and high-level executives were just as likely to be targets of spear-phishing attempts as lower-level employees.

Likewise, the nature of a spear-phishing email will change according to the target. High-level executives frequently received spear-phishing emails mimicking investment firms, banks, or business services. Lower-level employees, however, received something substantially more frightening: the business email compromise (BEC) attack.

BEC attacks are a spear phishing tactic that spoofs the email of an executive or high-level manager in a company, sending an email to an employee that instructs them to carry out seemingly legitimate business functions. According to Cisco, 2019 saw an uptick with this new type of attack.

Tips for Preventing Spear Phishing

Phishing is getting harder to prevent because cybercriminals are getting craftier. If the spate of BEC attacks this year is any indication, hackers are willing to spend the time and effort to research their targets to create a targeted email that slips right past even the most advanced security.

However, there are still tactics companies can implement to prevent spear phishing attempts from being successful. Some countertactics include:

  • Establishing an email communication policy: Provide clear guidelines to employees regarding who might email them, when, and why. Instruct employees never to click links or forward confidential information via email. Provide a list of safe login URLs for any business services.
  • Use multi-factor authentication on accounts: Mandate the use of multi-factor authentication so that even if login credentials fall into the wrong hands, they’ll be unable to access accounts without the additional step.
  • Confirm suspicious emails before interacting with them: Train employees to reach out to colleagues in other ways if they feel that an email that they’ve received is illegitimate.
  • Educate staff frequently: Yearly refreshers on cybersecurity and internet safety aren’t enough. Aim to provide short refreshers at least every few months.

How Managed IT Services Can Help

Managed IT services can be a smart move for companies seeking to augment their email security. With the help of these inveterate professionals, companies can beef up their network security. They’ll always be on the lookout to thwart, prevent, and even deter cybercriminals. Managed IT services can:

  • Deploy more sophisticated cybersecurity strategies, such as the use of artificial intelligence to identify and block spear phishing attacks.
  • Properly configure email and internet servers to prevent or quickly spot and remove unauthorized connections.
  • Free up the internal IT department to focus on other aspects of the company’s IT infrastructure.
  • Help promote security best practices and the creation of a security-oriented company culture.

ImageNet Helps Companies Avoid Getting Duped

Phishing is one of the oldest tricks in the books, originating in the early 1990s when email gained popularity. Today, phishing attacks have evolved into a set of sophisticated strategies that are increasingly more difficult to spot. The latest evolution of phishing, spear-phishing, is a dangerous tactic capable of fooling even the most diligent of email recipients. It also shows that a company’s data is so valuable that hackers will spend the energy necessary to create a cleverly crafted email that works.

ImageNet Consulting helps companies secure their networks and prevent cyberattacks of all kinds. Start a conversation with us today to discuss your company’s unique cybersecurity needs.

Topics: MIT

Written by Juan Fernandez - VP of Managed IT Services

Juan Fernandez is the VP of Managed IT Services for Imagenet Consulting. He has been in the IT industry for over 22 years. Over the last 22+ years, he has worked for several companies, such as San Juan College, Honeywell International, and Sandia Labs. With proficiencies on HIPAA and PCI, compliance he has focused on small business, government, education, healthcare, and financial industries. Juan believes in best of breed technologies education and certifications and was recently selected to assist in writing the CompTIA A+ and Security + tests and was also invited to participate in validating the CASP (CompTIA Advanced Security Practitioner). Juan was also selected to join the CompTIA Subject Matter Expert Technical Advisory board. He is dedicated to improving service delivery through embracing effective and efficient use of technology, creating effective business models for delivering new IT-based services such as SaaS, DRaaS, and HaaS. Juan is active in technology collaborations related to strategy, computer infrastructure, and cybersecurity. He has served as a leader to many organizations and is an experienced presenter at technology seminars and conferences. Juan holds a BS degree in computer science from Western Governors University, Microsoft Certified Systems Engineer, Cisco Certified Network Administrator and Network +, Security +, A+ Certified, Certified Internet web professional.

Subscribe to Our Blog