Those poor, overworked, cybercriminals of yesteryear had it so much tougher than today’s generation! To be successful at their sinister occupation, cybercriminals used to spend long days and nights in their shadowy lairs, slowly hacking their way through firewalls and intrusion detection systems. to steal our data. Somewhere along the line, however, some particularly evil (but admittedly efficient) cybercriminal had an epiphany: why not trick the victims into doing the heavy lifting in order to make the theft that much easier? Before long, the insidious plan began paying tremendous dividends: a huge uptick in stolen data and clandestine network access with just a fraction of the effort required by their criminal predecessors. An added benefit of this new approach was a vastly improved work-life balance, allowing the evildoers more time to unwind and relax after a long week of ruining lives.
When Cybercriminals trick victims into compromising their own data, it is a type of social engineering. One of the more popular varieties of social engineering is known as ‘spear phishing’, which involves crimi¬nals sending email that appears to originate from a trusted source - the CEO, our bank, or a member of our IT Department. Within this email is a request from the sender to open an attachment, click a link, or provide sensitive information. Once we take the bait, and do the sender’s bidding, that’s where the fun begins. It is estimated that over 90% of data breaches can be attributed to spear phishing attacks, which suggests that this successful, albeit nefarious, tactic isn’t going away any time soon.
Here are just a few examples of the consequences of a spear phishing attack:
So how do we avoid becoming the next data security headline, joining the ever‐increasing ranks of victims that have fallen prey to a spear phishing attack? Here are some helpful best practices.
Email best practices
Email best practices include tightening email and web filters, geo-blocking high-risk countries that you aren’t doing business with, keeping applications and systems patched, ensuring antivirus definitions are constantly updated, and monitoring firewalls, logs, and intrusion detection systems for suspicious activity are just some of the ways you can reduce your chances of becoming a spear phishing vistim. However, since even the best security solutions in the world won’t defend against every well‐designed spear phishing attack, it is imperative that education also be part of every company’s cybersecurity strategy.
Training your staff
Since spear phishing attacks prey on unsuspecting recipients, who are unaware of a potential threat, education can increase your staff’s ability to identify attacks - transforming your users from being the weakest link in the security chain into a virtual human firewall. One key concept that needs to be reinforced in the training is that, users should be instructed to consider the legitimacy of any email requesting sensitive information, or asking them to click a link or open a file. If the user is not absolutely certain that the request is legitimate, they need to contact the sender by phone or via a separate email chain for confirmation. A good strategy to reduce the likelihood of users being tricked into falling prey to a spear phishing attack, is to periodically conduct a simulated spear phishing attack to identify users that may require additional awareness training.
In terms of frequency, every user should receive cybersecurity training at least once a year. In addition to a mandatory annual training, every new hire should receive cybersecurity best practices training before being assigned a computer. On-demand training should be considered in order to significantly reduce costs and increase efficiency. Anyone with access to sensitive information such as credit card data or protected health information should be required to receive specialized training, several times throughout the year.
For more information on cybersecurity best practices, conducting a simulated spear phishing campaign, or customized on-demand cybersecurity training, contact Citrin Cooperman’s Technology and Risk Advisory (TRAC) team.