Focus on what counts

Don’t Take the Bait – How to Avoid Spear Phishing

May 4, 2017
view all archive

It is increasingly difficult to go more than a few days without seeing another cybersecurity headline, detailing the latest nightmare that has befallen yet another unfortunate victim. These unrelenting stories continue to drive home the point that our data is under siege each and every day by an incessant barrage of attacks, originating from an ever widening spectrum of threats.

These threats run the gamut; from amateur hackers to disgruntled employees to criminal organizations to nation states with unlimited budgets, each of them proliferating the dangers that lurk within the digital world in which we live and work.   

Today’s cybercriminals have options when it comes to stealing information.  The first involves attacking firewalls and intrusion detection systems, and utilizing brute force password crackers to get to a victim’s data.  As these attacks require a tremendous amount of work and sophisticated tools, cybercriminals have developed an insidious “Plan B” that is much more efficient.  

This alternative strategy is to socially engineer the victim into doing the heavy lifting.  A specific type of such a strategy is called ‘spear phishing’, which is when a criminal sends an email that appears to originate from a trusted source - the CEO, our bank, or the IT Department. Within this email is a request from the sender to open an attachment or provide sensitive information.  Once we take the bait, and do the sender’s bidding, that’s where the nightmare begins.

Here are just a few examples of the end result of a spear phishing attack:
  • Because a spear phishing email appears to come from someone we trust, we are more willing open that attached PDF or Word document without much hesitation.  Once the file is opened, a malware payload within the file is deployed, ready to be let out – the technology equivalent of a ‘wild night on the town’.  An increasingly prevalent type of malware is ransomware, which is malicious software that attacks the recipient’s computer (and anything it is attached to, such as the company’s file server.)  Ransomware locks everything it touches with a virtually unbreakable variety of encryption, rendering files inaccessible without a digital key.  To obtain the key to unlock your files, prepare to pay the attackers a sizable ransom - typically several thousands of dollars - or erase everything and try to restore from backups.
  • Victims of a spear phishing attack, particularly those in Finance, are tricked into making a wire transfer or turning over sensitive information, such as the company’s W‐2 tax data (ripe with sensitive information). A type of spear phishing attack, known as “whaling”, involves the CFO (or some other high ranking member of Finance) receiving a request from a criminal posing as the CEO.  The email asks the CFO to send data or complete a wire transfer to a company that is actually a front set up by the attacker.   This type of attack has racked up billions of dollars from victims from across the world, and doesn’t appear to be slowing down any time soon.
  • Cybercriminal’s use spear phishing campaign to gain login credentials.  Once they have tricked a user into providing their user name and password, the attacker can then remotely gain access to sensitive information stored in the company’s cloud applications or network resources.  Alternatively, criminals can send fraudulent emails from the compromised account, waging spear phishing attacks on the victim’s colleagues or clients for sensitive information.
So how do we reduce the chance of becoming the next data security headline and joining the ever‐increasing ranks of victims that have fallen prey to a spear phishing attack?  

Best practices include tightening email and web filters, keeping applications and systems patched, ensuring antivirus definitions are constantly updated, and monitoring firewalls and intrusion detection systems.  However, since even the best security solutions in the world won’t defend against every well‐designed spear phishing attack, it is imperative that education also be part of every company’s cybersecurity plan.  

Since spear phishing attacks prey on the recipient’s inability to identify a potential threat, education can transform users from the weakest link in the security chain into a virtual human firewall.  One key concept that needs to be reinforced in the training is that users should be instructed to take a moment to consider whether the email they received was expected from this particular sender, at this particular time.  If the user is not absolutely certain that the request is legitimate, they need to contact the sender by phone or via a separate email chain for confirmation.  

In terms of cybersecurity training frequency, every user should receive it at least once a year.  In addition to a mandatory annual training, every new hire should receive cybersecurity education before being assigned a computer, and anyone with access to sensitive information should be required to receive it several times per year.

For more information on how to help keep your company secure, contact Citrin Cooperman’s TRAC (Technology and Risk Advisory Consulting) team at

Looking for more information on cybersecurity? Be sure to register for our panel event, "Understanding Your Cybersecurity Risks - What you need to know to keep your data safe." The seminar will be held on May 23, 2017 at 8:00 AM - 10:00 AM in Mansfield, MA. Learn more and register HERE.