Don't Get Snagged By Spear Phishers

In many of the cases where security gets compromised at a company, the culprit is often poor user education and ineffective security measures. Frequently, the security breach could have been avoided if a worker had known enough not to open an obvious phishing or malware-loaded email, or if the company had enacted even basic filters and network policies to prevent the bad stuff from ever getting in.

But for one growing security concern, basic security systems and good user awareness may not be enough. In some of the recent cases of spear phishing, even trained security personnel were tricked into surrendering personal data or infecting systems with malware.

So what is spear phishing? Well, in this case, the name that tech pundits have given it actually helps a lot in describing the problem.

Standard phishing is a lot like sitting in a boat with a line drifting in the water. The bad guy isn't exerting too much effort; he's just sending out a broadly structured fake bank or service email in the hopes that a few people will be dumb enough to take a bite, get reeled in and surrender personal data or install malware.

But real-world spear fishing takes a lot more effort: The person needs to know how to swim, maybe even scuba or at least snorkel. They have to be skilled with the spear gun, and they have to target specific fish to catch. Similarly, spear phishing bad guys need to take the time to investigate the company and the individuals they are targeting in order to craft a message that will be seen as legitimate. The spear phishing message could be created to look like real company web applications, to come from real people in the company, and even use the same jargon and logos as company communications.

In this case, the spear phishing involves a lot more work but also has much greater reward. And the bad guys are certainly taking advantage of spear phishing. In a recent Cisco security report, it was shown that while the amount of broadly based phishing attacks were dropping, there was an increased incidence of targeted attacks.And this can be a very big problem for individuals and companies targeted by spear phishers. It's pretty easy to avoid an email that says, "Dear Bank Costommer, please provide banc account numbder, social scurity and mother maiden name." It's much tougher to figure out that the email from Jane in the New York office--an email that looks just like every other email from Jane and has the same style and structure--isn't actually from Jane.

So what can be done to protect users and businesses against spear phishing? Unfortunately, the answers aren't simple.

Right now, the biggest defense is the fact that the attacks are targeted and require more effort and resources from the bad guys. With those requirements, the odds of any one company being targeted are much lower than with traditional shotgun and easily detected phishing attacks.

Another solution is improved access control and security mechanisms for company systems, both internal and software as a service (SaaS) systems. Use of a two-factor solution, whether it's a phone call or a biometric solution, can at least prevent users from logging into a system that looks like a legitimate company system but isn't.

User education will also help. While these spear phishing attacks are much more sophisticated than the typical message from a Nigerian prince, there may still be tell-tale signs that all is not well. These can range from slight mistakes in text to content on a spoofed site that is sized slightly differently to a site that takes much longer than normal to load.

If you are in a business that could be a target of bad guys, cultivating your suspicious nature can't hurt when it comes to dealing with spear phishing.