Imagine this: You receive an email from your colleague with the subject line: “2018 Strategy Plan.” You open the email to find an attached excel file titled “2018 Strategy Plan.”
It looks like it’s coming directly from your colleague.
Pretty typical email, right?
Well, it happens to be coming from a hacker.
...and they’ve embedded a flash object in the attached excel file.
Once you open the file, the cyber attack launches. It launches through a vulnerability in Adobe Flash, allowing the cyber criminal to receive sensitive information.
This, my friends, is called spear phishing.
And spear phishing happens to be more common than you think.
What is Phishing?
Phishing is a type of cyber attack in which a hacker poses as a trusted source online in order to acquire sensitive information from your company.
It’s a common and technologically simple scam that can put your co-workers and your company at risk.
But resourceful hackers are resorting to more modified and sophisticated ways of acquiring information, and it’s called spear phishing.
What is Spear Phishing?
Spear phishing attacks are often disguised as a message from a friend or colleague and happens to be more convincing than a traditional phishing scam.
A spear phishing email typically contains personal information, which makes it much more difficult for the victim to identify it as malicious.
Any personal information that’s posted online can potentially be used as bait in a spear phishing email. The more that a hacker learns about a potential victim, the more trustworthy he or she will be during the cyber attack.
And once the trust is gained, a hacker can make reasonable requests through spear phishing emails, such as asking the victim to click on a link, supply usernames and passwords, or open an attachment.
What is Phishing Email?
A phishing email example could look like this:
Hope you had a great weekend. Do you have PDF copies of the employees’ W2’s? If so, can you forward them over to me for a quick review?
Sent from my iPhone
In this example, Patrick’s email address, which is firstname.lastname@example.org, could perhaps have an additional “l” at the end to look like this: email@example.com which could easily go unnoticed by Lori.
Falling for phishing scams can give a hacker access to personal and financial information across an entire network. And, successful spear phishing attacks oftentimes go unnoticed, increasing the risk of large and continued, costly losses.
How to Protect Your Company From Spear Phishing?
While you can’t necessarily avoid the risk of a spear phishing attack, there are things you can do today to prevent further damage to your business.
To start, make sure your employees are aware of these simple techniques:
- Never send financial or personal information electronically, even if you know the recipient well. It may be possible for a third-party to intercept this information, especially if the recipient is later subject to a spear phishing attack.
- Be cautious when you were asked to divulge personal information in an email. Even if it appears to be from a trusted source. It could be a hacker impersonating another person or group.
- Only share personal information on secure websites or over the phone. When in a web browser, you can ensure a website is secure when you see a lock icon in the URL bar, or when an “s” is present in the “https:” of a URL. The “s” stands for “secure” at the end of the normal “http”.
- Some spear phishing attacks use telephone numbers, so be sure to never share information over the phone unless you initiate the call to a trusted number.
- Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
- Ensure that your company’s security software is up to date. Firewalls and anti-virus software can help protect against spear phishing attacks.
- Encourage employees to think twice about what they post online. Spear phishing hackers often attain personal information through social media sites. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.
- Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.
- Never enter any personal or financial information into a pop-up window or a web browser.
How to React To a Spear Phishing Attack
If you believe that your company has been the target of a spear phishing attack, act quickly!
- Immediately change passwords of any accounts connected to the personal and financial information of your business or its clients
- Obtain a list of recent and pending transactions
- Contact law enforcement if necessary
- Reach out to your third-party IT expert to pinpoint any vulnerabilities that remain in your business’ network
The Cost of a Spear Phishing Attack
The after effects of a spear phishing attack can be costly because of the many fees associated with remedying the situation.
Some of these fees include costs associated with:
- Recovering from a data breach
- Losses related to business interruption
- Cyber extortion defense
- Forensic support
- Legal fees
Regardless of your company’s size or industry, you’re at risk of a spear phishing scam. There’s no better time than today to get serious about the cyber risk exposures you face. Start by implementing simple strategies to minimize your risk of a cyber attack.
Download our FREE Cyber Security Planning Guide
In addition to the tips and strategies above, download our FREE Cyber Security Planning Guide. The guide is designed to help you protect your business, information and customers from growing cyber threats.
It’s no secret that the rise of cyber risk is growing.
By understanding the risks your company faces, and implementing the actionable steps in this article to reduce the risk of a cyber attack, you’re one step ahead in protecting your company against cyber crime.
Need Cyber Liability Coverage?
I’m Pat O’Neill, a risk advisor at The O’Neill Group, and I’d be happy to help you identify the cyber risks you face, and secure for you a cyber insurance quote. Call me at (330) 334-1561, email me at firstname.lastname@example.org or click here to schedule a time on my calendar that’s convenient for you to discuss cyber insurance.
This article was adapted from Zywave. This is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.