Spear phishing attacks are extremely dangerous because they are designed to get around traditional email security like spam filters. They generally do not include attachments or malicious links, but instead use spoofing techniques and links that, combined with social engineering tactics, are unlikely to be blocked.
The most common type of attack by far is brand impersonation. Brand impersonation attacks attempt to impersonate a company to gain the target’s credentials and take over their account. These attacks have also been used to steal personal information such as credit card and bank details. Apple and Microsoft are the most commonly impersonated brands used in these attacks, the report found.
Business email compromise (also known as CEO fraud) is the second most common spear phishing attack type. Cyber criminals use this attack to impersonate an executive and request an internet transfer or personal information from finance department employees or others. While Business email compromise attacks make up a relatively small percentage of the total, they have caused more than £11 billion in losses since 2013.
Finally, the third most popular type of spear phishing attacks are blackmail scams, in which hackers claim to have sensitive and compromising information about their target and threaten to share it unless they pay a fee.
The best practices to avoid spear phishing
Avoiding spear phishing attacks means using a combination of user security training and technology. Here are six best practices that businesses should consider to protect against these attacks.
1. Take advantage of artificial intelligence
Find a way to detect and block spear phishing attacks including BEC and brand impersonation that may not include malicious links or attachments. There are tools available that can analyse communication patterns in a business and spot any anomalies that may be a sign of attack.
2. Don’t rely solely on traditional security
Traditional email security that just blacklists spear phishing and brand impersonation may not protect against other forms of attack.
3. Use multi-factor authentication
Multi-factor authentication give you another layer of security over just a basic username and password, and it is a simple and effective security measure.
5. Train staff members to recognise and report attacks
Spotting and reporting a spear phishing attack should be part of any security training. Businesses can simulate spear attacks for emails, voicemails, and text messages to train users to identify them. Businesses should also have a procedure in place to confirm any monetary requests that come via email.
5. Conduct proactive investigations
Because spear phishing attacks are so personalised, staff may not always recognise or report them. Businesses should conduct regular searches of emails to detect content known to be common among hackers, such as subject lines related to password changes.
6. Maximise data-loss prevention
Use technology solutions together with business policies to ensure emails with confidential or sensitive information are blocked and have no way to leave the company.