A phishing campaign is very broad and automated, so it doesn’t take a lot of skill to execute a massive phishing campaign. Most phishing campaigns are seeking things like credit card data, usernames and passwords, etc. and are usually sent to large lists of email addresses.
On the other hand, spear phishing is highly targeted, going after a specific employee, company, or department within a company. This approach requires advanced hacking techniques and a greater amount of research on their targets. Spear phishers are seeking more valuable data like confidential information, business secrets, and things of that nature. That is why a more targeted approach is required; they find out who has the information they seek and go after that particular person. A spear phishing email is just the beginning of the attack as the bad guys attempt to get access to the larger network.
The “from” part of a spear phishing email is often spoofed to make it look like it’s from a known entity or from a domain that looks similar to yours or your trusted partners. For example, the letter “o” might be replaced with the number “0,” or the letter “w” might be changed to “ш” from the Russian alphabet.
While older spear phishing campaigns used to simply contain the malicious documents attached in the email as is, or perhaps in a zip file, criminals have adapted their methods. Many malicious documents are now housed on legitimate sites such as Box, Dropbox, OneDrive or Google Drive as threat actors know these are unlikely to be blocked by IT. Analysts are also starting to see phishing attacks that are trying to compromise API tokens or session tokens in order to get access to an email box or to get access to a OneDrive or SharePoint site.
Again, prevention looks like this:
- Think before you click!
- Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, contact the source of the email directly by phone or in person.
- Enlighten your users about the dangers of oversharing their personal information on social media sites including, but not limited to LinkedIn, Facebook, Twitter, and Snapchat. The more the bad guys know, the more convincing they can be when crafting spear phishing emails.
- Your employees are your defense! They need to be trained using an up-to-date, constantly evolving cybersecurity awareness training course and receive frequent simulated phishing emails to keep them on their toes with security at the forefront of their mind.
Yes Tech provides cybersecurity training for our customers. Since 91% of successful attacks use spear phishing to get in, we know how important it is to educate our user base and spread the word. Call us to at (504) 372-1372 to schedule an appointment today. We’d love to guide you through training your employees to defend against these attacks and keep your network secure.