For millions of New Jerseyans, the sunny, mid-summer weeks are the prime fishing season for fluke, weakfish, and more. Unfortunately, in today’s digital age, there’s another type of “phishing” that has nothing to do with catching creatures of the deep. Instead, spear phishing is an ever-increasing form of cybercrime; however, like actual fishing, it is bringing people together.
Law enforcement, cybersecurity companies, and legislators are working in conjunction to combat the effects of phishing and spear phishing expeditions – email-based hacking schemes designed to steal personal information. Yet, despite increasing public awareness of the problem, phishing expeditions have continued to grow in complexity – and frequency. So much so that a recent study found that compromised business emails led to a $1.3 billion loss for organizations in 2018. The report also found that 95 percent of all cyberattacks could be thwarted with simple methods. Nonetheless, cybercriminals have fully capitalized on these internal structural weaknesses.
Thus, to combat future digital attacks, a tech-centric and a human skills-centric approach is required, no matter if you are fishing at Sandy Hook or your office in Parsippany. So, for the next few minutes, as you read this article, put down your rod and reel, and focus your attention on the genuine threat businesses face.
What is Spear Phishing?
The simplest definition of spear phishing is an attempt to steal personal information from an individual or business, which is used to access accounts or other digital assets from the individual and the organization.
For instance, the hacker may email an employee to obtain their social security number, birthday, driver’s license number, or other data. They can then use that information to gain access to a bank account, PayPal account, or online data. Likewise, the hacker could also phish (that is, “hunt”) for a company’s information to hack into a network or infrastructure.
How dangerous is spear phishing to both individuals and businesses? Spear phishing accounts for:
- 71% of targeted attacks involving email
- 66% of malware involving an attachment or file
- 93% of breaches involving social media
- 64% of attacks on all U.S. businesses
- 21% of all malware attacks worldwide
Comparing Phishing to Spear-Phishing
When it comes to phishing and spear-phishing, the endgame is the same: acquiring private information. However, there is a subtle difference:
Phishing – When phishing, an attacker sends a malicious email to mass recipients – hundreds or thousands of potential victims. It becomes a numbers game. The more recipients that open the mail, the more victims the hacker can prey on. The hacker disguises himself or herself as a trusted source to fool the recipient. The sender attempts to lure the recipient into opening the email or attachment. Or, they will try to persuade the person to click on a link to a dangerous website. From there the attacker will attempt to take over full control of the computer or network.
Spear-Phishing – During a spear-phishing attack, the hacker targets a demographic or profile. Rather than sending out a mass email, the attacker sends a specific email to a smaller number of people based on certain criteria. Factors can include social media profile, victim’s online activity, work information, hobbies and interests, and friends and colleagues’ data.
Since attackers target their victims and customize their emails, they are far more successful at accessing private information than regular phishing. In addition, someone may use spear-phishing as a means to obtain information from a friend, colleague, or the person’s company they are working for.
Protecting Yourself from A Spear-Phishing Attack
Fortunately, however, spear phishing attacks can be thwarted. Here are five tips:
- Be careful about what personal information you post online. Try to refrain from posting personal data on your social media pages or a website. When you create accounts, only provide the necessary information.
- Create smart passwords that have zero connection with anything in your life. Moreover, passwords should make no sense at all. They should include at least eight characters made up of numbers, letters, and symbols.
- Perform software updates as the new software versions become available. Outdated software is more vulnerable to spear-phishing attacks.
- Refrain from clicking on any embedded links in an email, linked to a website. You can also right-click the link or scroll over the link to see the actual URL. If it does not match the website, then delete the email immediately. Also, never trust logos, letterhead, image, or anything else. Hackers are brilliant at making an email look legitimate.
- Delete any email that asks for personal information unless you are expecting the email and have confirmed the sender. Otherwise, there is no reason to hand out personal information via an email.
Ultimately, the best protection is to ensure that your employees are fully aware of common cyber threats and how to combat them. That’s why Sentribit offers a team-unifying and expansive Security Awareness Training Program, which combines engaging content, interactive videos, and simulated attacks. Call us at 908-232-2060 or sign-up for a free trial.
Also, as a Managed Security Solutions Provider, Sentribit offers a 24/7/365 Security Operations Center, designed to meet the critical needs and budgetary requirements of most businesses.
If You Smell Something Phish-y…
This summer, we encourage you to take the time to enjoy some quality fishing off New Jersey’s beaches, back bays, lagoons, and lakes! But, remember: if you receive an email on your phone, and it seems phish-y – it probably is.