4 Steps to Confronting the Spear Phishing Threat

Written by Paul Mah on May 19, 2011

In my last post, I wrote 6 reasons why spearing phishing will increase. A quick scan of recent news headlines will show how many enterprises have been rocked by security breaches that originated from spearphishing. In fact, colleague Jeff Orloff also mentioned it recently when he examined the threat of APTs, or advanced persistent threat, which is typically initiated from a phishing email.

So what should businesses do when confronted with spear phishing, an old threat which has made an unwanted reappearance? I have a few suggestions on this.

1. Allocation of additional budget

Businesses must not shield away from the fact that malicious hackers are leveraging spear phishing to penetrate corporate networks for profit. These cyber criminals have, to date, successfully broken into some of the most well-named security brands in the world, and in many cases are suspected of siphoning digital data worth their weight in gold.

Businesses must realize that unlike spam emails, the threat of spear phishing is not about lost productivity, but about protecting core digital assets. If you had millions of dollars in gold bullion in your house, would you purchase only a $10 lock to secure the gate? In the same token, it is clear that the allocation of additional budget for appropriate hardware and software makes sense here.

2. The importance of employee awareness through training

I think reader Larry nailed a good chunk of the problem on its head when he wrote “It’s not the number of email you receive a day that determines whether or not you are scam-prone. For me, it’s how knowledgeable you are about scam.” I think all spam administrators must have their “favorite” employees who consistently perform the wrong actions with their computers.

While it is easy to look down upon some as simply being less savvy with computers, the average users fall prey to scams and spear phishing attempts because they rarely read about the latest scams and phishing tricks like the average administrator who may visitAllSpammedUp and similar sites on a regular basis. As such, the onus is on the administrators to enhance the awareness of their users through regular updates or training sessions.

3. Continue to invest in anti-spam technologies

It is clear that there is a need for businesses to continue investing in anti-spam technologies. Where there is nothing to prevent employees from recovering emails out of their junk folder and clicking on the malware links there, there is compelling evidence that staffers make better decisions in filtering out the bona fide emails from the genuine threats – when they do not have to manually filter through a hundred spam emails per day.

In part a reaction to the shifting threat landscape, many spam solutions have progressively incorporated anti-malware and other solutions designed to thwart phishing. Ultimately, it is important that businesses do not stop investing in anti-spam technologies and recognize that stemming spam remains a prerogative.

4. Consider implementing social media monitoring

In response to an earlier article titled “6 Reasons Why Spear Phishing Will Increase,” readerShawn, observed how “The availability of personal data on social networks is the number one culprit why phishing is on the rise.” I couldn’t agree more on this point; as information gleaned from social media platforms can be used to craft highly effective spear phishing messages as bait.

Remember the furor four years ago when IT security firm Sophos did an experiment and created the profile of a frog – replete with the picture of a toy frog – on Facebook just to see how many users will befriend the fictitious entity? It was found that 41% of users are happy to expose themselves to potential identity thieves. Today it is common to befriend perfect strangers or acquaintance on Facebook and other social media platforms. Aggrieving the situation, users have become more accustomed with sharing every façade of their lives via uploaded photos, profile pages, location check-ins and status updates.

The hands of corporations are tied with regard to controlling social media networks. After all, no employee will look favorably towards draconian rules on what they perceive as their personal updates. On this front, some companies have started offering social media monitoring tools which promises to make it easier for employers to monitor social media conversations. The idea is not about censorship, but one focused on monitoring, so as to nip potential leaks of sensitive information in the bud.

Do you have any other suggestions to help protect against spear phishing?