Phishing attacks are not what they used to be. Many of us still think of these attacks in the way of spammers and scammers sending mass email campaigns leading people to a false web-site. The techniques have adapted and evolved since.

The targeted attack tactics are more subtle and popular now. For example, a spear phishing attack might go something like this:

  1. The attackers mark their goal – What do they want to gain? Money, Information, PII, CC numbers.
  2. The attackers choose their target – They might first locate the correct VP, Director or C-Levels. Selecting their target depends on what they want to achieve. In this example, they’ve targeted Greg Murray, Corporate Director of Sales at XYZ company.
  3. Perform a Background check – The attacker digs into the personal details… For example… Greg plays golf, Married, 2 kids, his favorite car, he has an anniversary coming up soon and recently liked on FB.
  4. The attacker launches the attack – Based on the details obtained above, she or he might send a congratulations email from including a link for a free anniversary gift.
  5. Caught. The link now downloads a piece of malware for financial or espionage purposes and the damage ensues.

As you can see from this example, the idea is to gain the victim’s trust by using familiar information they feel secure with. Take that and add a free gift with a malicious link and you have yourself a simple yet very successful spear phishing attack.

The link could download a piece of malware for financial or espionage purposes, or could trick the victim into giving out their CC number or other sensitive information. The trouble that ensues can follow for months or even years and the damage to a business or individual can be detrimental.

Spear phishing attacks require more preparation however have a better success rate. Learn how to protect yourself and your business organization:

  1. Employ clear guidelines – If you know the sender, be hesitant. If you don’t know the sender, either check with your IT department or delete the email.
  2. Educate employees on how to use the web securely.
  3. Invest in security controls for cases where your employees make a mistake (and they will, so it’s best to plan for it.)
  4. Analyze your internal development processes to make sure your internal applications are not easily exploitable whether containing employee data or financial statements.

Follow these steps, educate yourself and your team to keep yourself and your business safe.