Phishing2Spear-phishing attacks differ from normal cyber-attacks in that the attacker specifically targets an individual or organization to steal information.  The precise nature of spear-phishing makes it more difficult to defend against than traditional spam and most organizations are not prepared to deal with the threat.  A new study from security vendor Cloudmark, revealed that over 84% of polled organizations in the US and UK have encountered spear-phishing, with a third of respondents admitting a financial loss as a result.

Most people are familiar with phishing scams; spam emails that attempt to get a user to follow links to an attack site or to download malware from an attachment.  Spear-phishing is more sophisticated; an attacker will research an organization to learn standard business procedures before planning a calculated attack.  Most organizations have at least some form of online presence, which makes it easy to gain information about employee hierarchy, department heads and internal systems.  Once the attacker has gained information about an organization, they will tailor an attack to fall under the radar and target users they judge as most susceptible. Employees who receive an email from someone they judge as clients or co-workers are more likely to follow potentially dangerous links or download attachments.

The Cloudmark study found that while most organizations have security measures in place, they simply are not sufficient for the volume and targeted nature of attacks that come through. Ninety percent of respondents had seen email based spear-phishing attacks while nearly fifty percent had also encountered attacks spread through mobile platforms and social media.  Attacks originating from social media are often ignored and can go unchecked for months.  This allows a compromised system to data-mine an organization or further spread infection. What’s more, the estimated financial impact of successful spear-phishing campaigns over the last 12 months was over 1.8 million dollars in the United States alone.

As with any phishing scams education is the most valuable defense.  Employees should be trained to identify suspicious emails and website links.  Also, it is imperative that employees feel comfortable reporting suspicious content or even their own mistakes if they do fall for a scam.  A security breach that is reported can be fixed, whereas an unreported problem will only become worse if left alone.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer