Spear-Phishing Attacks: Are They Preventable?
Phishing attacks are increasing at alarming rates. Surveys show that 71% of businesses are not prepared to manage these type of attacks. Many businesses are finding that their defenses are limited and people in the highest offices are vulnerable.
More than 50% of businesses aren’t confident in their ability to detect phishing scams, and attacks have grown more sophisticated. Here’s what IT managers and businesses need to know about spear-phishing to protect against these attacks.
What Is Spear-Phishing?
Ubiquiti Networks unknowingly sent $46.7 million to fake overseas accounts after receiving fake phishing emails. Spear-phishing attacks use familiar data like business logos, contact names and similar email addresses to send fake requests. These include fake, malicious URL links or attachments to gather personal information like birth dates, passwords, credit cards, and bank data.
A recent study found that 50% of attacks last 24 hours, but more than 65% can last for a month. Nearly 80% of attacks will target less than 10 accounts, and spam filters are unable to detect these fake emails. While spam might detect five attacks, 20 more will make it to the inboxes of unsuspecting users.
How to Prevent Spear-Phishing
As company defenses improve, so does the sophistication of attacks. Because spear-phishing is highly sophisticated, requiring comprehensive reconnaissance to set up fake accounts that look authentic, technologies alone are not enough. Attackers are now tailoring text and using signatures, company logos and other identifying factors to make phishing emails look legitimate.
To become proactive in cybersecurity, businesses need to turn their attention to the growing scope of phishing scams. This can be achieved by:
Protecting email accounts
Email whether personal or business, is inherently insecure. To strengthen protection against phishing, invest in solutions that analyze emails and use two-factor authentication and report all internal and external attacks.
Monitoring brands and domain names
Businesses should deploy continuous monitoring, detection and response tools. Monitor domain names for "look alikes" and brand mentions.
Using penetration testing engagements
Penetration Testing is the linchpin in a security program as it replicates the tactics of threat actors which may otherwise be undetectable by conventional security tools. These engagements can also help simulate phishing attacks and effectively use it as a tool to raise awareness.