Spear phishing is a major security risk, and the only way to stop it is to train your staff, says Scott Greaux
One of the most common ways for cybercriminals to gain access to sensitive data on enterprise networks is through phishing. It has recently been revealed that the UK is the world’s the UK is the target of more phishing than any other country, and the technique featured prominently in the Red October espionage campaign, and attacks on the New York Times.
Phishing is a method where cybercriminals send spoofed emails to try to trick recipients into doing something they shouldn’t. They can also provide hackers with access to corporate networks in order to acquire sensitive information such as usernames, passwords or R&D information.
However, the success of a phishing attack is largely determined by the target’s level of security awareness.
People are unaware of phishing!
PhishMe provides phishing awareness training – and we have tracked the responses of more than 3.8 million users to find the level of awareness. We found that around 60 percent of people will fall for a phish if they have never been trained to recognise the signs of a phishing email.
However, trained employees will find it much easier to spot a phishing email. They will know to look at the underlying URL, not just the displayed text, to see where it is actually coming from. They will also look at email headers to try to understand if the email address has been spoofed.
In the UK, PhishMe recently commissioned a survey of 1000 office workers to help understand the scale of phishing in this country. The results revealed that:
- 27 percent of office workers do not know what phishing is
- Nearly 60 percent of office workers receive phishing emails at work every single day, and 6 percent receive more than 10 phishing emails every day
- More than 1 in 5 people admit to having been tricked by a phishing email into clicking a link or opening an attachment
- 78 percent of those surveyed think they have never fallen for a phishing email
- 29 percent do not report suspicious emails to their IT department
- 49 ppercent are more worried about being phished at home that at work
Not only do these findings reveal that UK office workers are being swamped daily by phishing emails, they also show that technical controls are failing to stop these messages as they pass through security appliances. Emails are ending up in users’ inboxes, and for many companies it is purely down to luck if that employee responds.
Spear fishing fears
One of the most sophisticated types of phishing attacks is called spear phishing. This is when a hacker will target a specific group or organisation and will tailor their attacks to make them look relevant to the recipient. Hackers will carry out these types of attacks in order to gain access to sensitive corporate data, and because the emails they send will look genuine they can often be very successful.
However, despite these worrying statistics there are a number of steps which can help to identify potential phishing emails. When receiving emails, users should look at the following:
- Do you know the sender, and is the email address one you would expect them to use? An email purporting to be from your CEO, but sent from a Gmail account, should always ring alarm bells.
Are you expecting a message from the person? Does the email look suspicious? Does the link look genuine?
The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.
Is the email specific? Does it make sense? Although criminals have a lot of information about individuals they will still keep messages generic to pique your interest, and make you take action.
And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.
Phishing is one of the most common attack methods for cybercriminals, however an effective training program and user awareness will minimise the risk of employees falling victim.
Once employees know what to look for they will be able to quickly identify any potential phishing emails and report them before any damage is done.
What do you know about online security? Try our quiz and find out!
Scott Gréaux is VP of product management and services at Phishme.