Spear-phishing is the fraudulent practice of sending emails that appear to be from a known or trusted sender in order to induce targeted individuals to reveal confidential information. Cybercriminals may also ask recipients to perform an action, such as transferring funds to an account that seems legitimate but is the criminal’s bank account. Therefore, it’s critical that businesses protect themselves to help prevent spear-phishing.
How Spear-phishing Happens
The important thing to understand is that a spear-phishing attempt is only successful if the victim follows the cybercriminal’s request. This means that if your employees are not aware of what to look for and you don’t have the proper protocols in place to identify a potential spear-phishing email, your business is especially at risk.
Cybercriminals are cunning in their methods and skilled at tricking people into following requests that, at first glance, look legitimate. They often hack into an organization’s computer network or comb through websites, blogs and social networking sites to find the information they need to make an email look authentic.
Here’s a real-life example of what a spear-phishing attempt can look like: A CEO receives an email that looks like it came from the CFO. It includes the CFO’s signature block at the bottom of the email and the CFO’s name identified as the “sender.” The email asks the CEO to transfer $100,000 to a bank account. Thinking this is a valid request from the CFO, the CEO transfers the money. Later, he learns that he has transferred the money into a cybercriminal’s account and is not able to recover the funds.
Spear-phishing criminals may also ask for sensitive or confidential information, such as account numbers, passwords and access codes. With it, they can access your company’s bank account, use your credit cards and create a whole new identity using your information.
How to Help Prevent Spear-phishing
There are three primary ways to protect your business and help prevent spear-phishing:
Because employees—including leadership—must perform an action that gives the cybercriminals what they want, employee training is critical to prevent spear-phishing. Your IT department or IT vendor should provide regular training to help employees identify fraudulent emails.
Tips for employees include:
- Before following the email request, ask yourself whether it makes sense. If you get an email that appears to be from the CFO but the message seems at all odd, that should raise a red flag.
- One way to identify a malicious email is to check the spelling of the sender’s email address. An email may come through looking like it’s from someone you know. But if you click on the email address and it is not spelled correctly, that’s a good indicator that a cybercriminal is trying to spoof you.
- If you receive a suspicious email, we recommend you forward it to your IT department for analysis. Then delete the email permanently from your Inbox and Deleted items.
You may also consider utilizing security awareness training platforms. These can help prevent spear-phishing by testing your team. Programs send out mock phishing emails to determine who may need more training.
Develop company policies and procedures to help prevent spear-phishing. This may include:
- Developing strict multistep internal processes that would catch fraudulent requests. For example, before transferring funds, require a two-factor verification process. Contact the CEO or executive who is requesting a funds transfer. Then get secondary verbal confirmation of the request before proceeding.
- Working with your bank to ensure only certain people can access accounts and/or complete wire transfers. Also, require the bank to do a validation check on requests, requiring two people to sign off on account-related activity.
It’s also important to implement standard IT security measures to catch fraudulent emails. Spam filters can help prevent spear-phishing by catching some attempts, especially if it picks up on emails coming from outside of the country. However, keep in mind that no security product is perfect. It is still the people who present the biggest risk factor when it comes to spear-phishing. This is why employee awareness and training is so important.
If you think your business may be at risk of spear-phishing attempts, contact us today.