Table of Contents
What is spear phishing?
Spear phishing is when you receive an email from someone or some company you trust. It looks legitimate. It may even have the names and extension number of coworkers. It looks authentic, so you don’t give it a second thought. But you should, because it’s from an attacker, and they’re trying to steal your valuable information.
Unlike phishing emails, spear phishing emails are personalized. They’re crafted to make you think it’s from someone you know. With all that personalization, phishing emails are extremely hard to detect. And because they’re so hard to detect, they’re more effective. Which means they’re used a lot.
Spear phishing is prevalent and costly
Spear phishing has been associated with most of the largest cyberattacks in recent history including the attacks on JPMorgan Chase, eBay, Target, Anthem, Sony and various departments within the U.S. government.
According to Wombat’s 2018 State of the Phish survey, 76% of respondents said they experienced a spear phishing attack. And it’s not just large enterprises. Small companies are just as likely to be affected according to the survey.
Being the victim of a spear phishing attack can be costly too. As cited in a 2017 report, the average cost of a phishing attack costs a mid-size company $1.6 million. But the hit on a company’s reputation may be even worse.
According to Deloitte, one-third of respondents said they would stop dealing with a business following a cyber-security breach, even if they do not suffer a material loss. Likewise, according to Aviva, after a company is breached, 60% of customers will think about moving and 30% actually will.
How to spot a spear phishing email
There are telltale signs of a spear phishing email. Here are seven things to look for if something doesn’t seem right:
- The email requests personal information
- The email contains a link where the link text doesn’t match the URL
- The email contains a link and the URL has a misleading domain name
- The email contains a link and the URL starts with http and not https
- The email contains poor spelling and grammar
- The email appears to be from a government agency
- The email has a misplaced sense of urgency (e.g., please respond in 48 hours or your account will be locked)
How to detect if you’ve been spear phished
Spear phishing attacks can steal passwords and empty bank accounts. So, what happens if you actually click on a link in a suspicious email and it takes you to a web page? The first thing to do is to look for the telltale signs mentioned above. Does it request personal information? Are you at the URL you expected? Does the URL begin with http or https? Is there poor spelling and grammar? Does something not seem right?
If an account of yours has been compromised, that too will leave telltale signs. You may see a new sign-in alert from your account. Your sent folder may have messages in it you didn’t send. If, after you do sign in or provide your information, you get an error message, or a “service temporarily down” message, or nothing at all, it’s likely you’ve been phished.
Spear phishing prevention is better than spear phishing protection
One way to protect against spear phishing is to train users to recognize and report suspicious emails. But there is something even more effective than spear phishing protection and that’s spear phishing prevention. Using technology to prevent the spear phishing email from reaching the end user in the first place.
The best way to prevent spear phishing is to analyze emails before they reach you or your company.
Before users ever get a chance to click on a link. Cloud-based email protection solutions provide a buffer to check emails for suspicious links before they reach your corporate network or your hosted email service provider.
Link can’t just be checked in emails prior to arrival though. They must also be checked after the email arrives, when the link is actually clicked. Every time it’s clicked. Because attackers have the ability to send a spear phishing email from a website that initially appears unthreatening, post-delivery protection is essential.
What to do if you’re a small business worried about spear phishing
Cloud-based email protection solutions offer two levels of protection: before the email reaches the end user and after it arrives, when the user actually tries to click on a link.
If you’re a small business, on a limited budget, but you still would like to be protected from spear phishing by using the latest cloud-based solutions, there’s good news. You can now get advanced phishing technology at prices that fit your budget.
To learn more about how Duocircle can protect your small or mid-size business from spear phishing attacks, click here.