4 Steps to Protect Your Business from Spear Phishing

By Casey Lang • June 11, 2019

You may have heard of phishing, which is the practice of sending fraudulent texts or emails that appear to come from a legitimate source, with the intention of encouraging the recipient to provide personal information.

Businesses have been struggling to protect their networks from phishing, and with attacks up 65% in the past year, it seems the fight is far from over. To make matters worse, a more sophisticated and destructive offshoot of phishing has recently emerged — spear phishing.

What is Spear Phishing?

Phishing messages are usually generic, sent to a large number of people in order to cast a wide net in the hopes that somebody will bite. Spear phishing, as the name implies, is much more precise and is targeted at a specific victim.

The spear phisher gathers personal information about the target, such as an employer, hometown, or friends, in order to craft messages that seem more credible. No red flags are raised, and the recipient happily does as the phisher requests, sharing highly sensitive data and information about themselves in the process.

What Spear Phishing Means for Your Business

Spear phishing presents a major problem for businesses. Phishers are increasingly seeing businesses like yours as lucrative targets, with a staggering 95% of all attacks on business and enterprise networks thought to be the result of successful spear phishing. How does this happen?

The Weak Link in Your Network Security

Spear fishers usually gain access to your sensitive data and business networks via your employees. For example, they might gather information on your employee and use it to craft an email to them appearing to come from your IT team, asking them to click on a link and re-submit their credentials to access one of your network systems.

The link leads to a dummy site that’s barely distinguishable from yours. When your employee logs in, the phisher records their credentials and uses them to access your real system. There, they can steal data, spy on your business, or bring your system crashing down, and you likely won’t even know it’s happened until the damage has been done.

4 Steps to Keep Your Business Safe from a Spear Phishing Attempt

Despite your best efforts to secure your business, you’re only as strong as your employees. Adequately protecting yourself from spear-phishing, then, relies on comprehensive training and awareness. Here are four steps you can take to keep your business safe…

Step 1 – Educate Your Employees

Knowledge is power, so train your employees on how to spot spear phishing and what to do about it. And because threats like spear-phishing evolve rapidly, ensure that your training and awareness programs are refreshed and updated at least annually to stay ahead of phishers.

Step 2 – Practice Good Password Hygiene

Passwords are at the very core of your network security and as such, they deserve the utmost attention. For each of your systems, require that users create long, complex passwords and change them on a regular basis. Don’t just ask users to do this and trust that they’ll comply; make it a mandatory requirement for using the system. And of course, the sharing of company passwords should be discouraged in the very strongest terms, even between other employees.

Step 3 – Implement Multi-Factor Authorization

Multi-factor authorization, or MFA, adds an extra layer of security to your systems. After the user enters their password, they’re typically required to pass through a further verification stage by entering another password/code, answering a question, submitting biometric information, or responding to an email or text. If somebody does obtain the user’s password, MFA means they’ll usually be thwarted at this second stage.

Step 4 – Take Good Practices Home

In order to be effective, good security practices must go beyond the office. Spear phishers will usually target a victim outside of work too, so your employees must be encouraged to apply the same awareness, caution, and protection to their personal and home networks.

That means practicing good password hygiene on any devices or online systems they use outside of work, from banking to social media to online grocery shopping and everything in between. Where available, they should be encouraged to set up multi-factor authorization, too.

Personal phones, computers, and other devices should be password-protected, encrypted, and secured with up-to-date antivirus and malware programs. This is especially true if they use these devices for business-related activity, in which case you should embed usage rules into company policy.

Your employees should be encouraged to take all reasonable measures to protect company data that’s taken outside of the workplace, whether on a business trip or to a home office. Physical documents and devices should be stored securely when not in use, such as in a locked briefcase or filing cabinet.

Finally, employees should think carefully about the work information they share with their personal network. Your employee might think they’re bringing their old high school buddy up to speed on all the exciting projects they’ve been working on, but there could be a phisher on the other end of the email conversation, gathering data about your business.

Don’t Fight Phishing Attacks Alone

With 76% of businesses falling victim to a phishing attack last year, it seems phishers are winning the fight for your sensitive data. That doesn’t have to be the case. Protect your business now with expert training and managed security services from CyberSheath. Contact us now to find out how we can help.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security