Spear-phishing is on the rise
Imagine spending years developing a product your research says will take the market by storm. Grow your small business into a major player. Rewrite the rules for much larger competitors.
Then comes the email from a potential investor who’s just as interested in your market as you are. All you have to do is click a link to learn more about the opportunity he offers. The email looks legit. You even recognize the venture capital firm this individual represents. All good, right?
Not so fast. Whereas a few years ago, email scams were pretty easy to spot with all of their misspellings and nonsensical offers, today’s online scammers have become much more sophisticated. Not only are they sending out well-crafted messages to cajole unwitting recipients into doing something they shouldn’t, they’re also targeting distinct individuals or particular pieces of information.
Called “spear-phishing,” this sort of attack aims to steal specific details from specific individuals. Most often, hackers disguise themselves as a friend or trusted source (such as your bank) to trick the target into releasing information – which accounts for 91 percent of attacks. The conduit for such attacks is often email but, lately, social sites like Facebook, LinkedIn, Twitter have become involved as well.
For instance, last year, the music streaming service Vevo was hit by a LinkedIn phishing attack that resulted in the exposure of more than 3TB of internal data, some of it highly sensitive. This included, videos, office documents, promotional material, yet to be used social media content, and information about recording artists signed to the participating record companies.
Another spear-phishing attack making the rounds involves a hacker posing as the CEO, president, partner or vendor of a company sending phony invoices to its accounting department. If the accounting department doesn’t catch such scams, they often go undetected. In education, for instance, HP recently met with officials from a school district where hackers stole a superintendent’s credentials. The “bad guys” sent two email invoices to finance posing as this individual, and they were paid $15,000.
While few small businesses disclose when they’ve been attacked, it is highly likely many are victimized by spear-phishing. Why? Well, for one thing, large businesses budget for cybersecurity in ways that small businesses simply cannot. Hackers prefer soft targets. So they are increasingly going after less fortified small and midsized businesses. In fact, despite evidence to the contrary, 82 percent of small business owners believe they’re not targets for attacks because they don’t have anything worth stealing, according to Towergate Insurance research. Yet, many businesses exist because they have a product or service worth selling. It follows, therefore, that they might have something worth stealing. Indeed, the vast majority of targeted attacks (90 percent) involve attempts to gather intelligence from targeted organizations, according to Symantec’s 2018 Internet Security Threat Report.
What’s more, since 99.9 percent of all businesses in the United States are “small,” meaning they have fewer than 500 employees, it follows that hackers would target them. Indeed, the Securities and Exchange Commission says “small and midsize businesses (SMBs) are not just targets of cybercrime, they are its principal target.”
“Since the popular press tends to focus on attacks that target the largest firms, it can be easy to overlook the fact that SMBs (small and midsized businesses) are at even greater risk, and are far more vulnerable once they are victimized, the SEC states. “In fact, for every high-profile breach, there are many more threats to confidential data held by local businesses.”
So, what can you do to keep your business from being victimized by spear-phishing?
One of the easiest ways to prevent your employees from engaging phishing via email or social media is to instigate behavioral changes at work. It should help your staff avoid making the kind of simple mistakes that lead to devastating consequence for your business:
- Limit interactions to users you can trust
- Don’t click on links from unverified sources
- Never download file attachments from social media
- Enable two-factor authentication on all social media accounts and devices – it’ll make it harder to hack them
- Give extra training to employees with high-access privileges or social-facing roles
Another essential aspect of your security plan to consider is the technology you’re using to stay cyber resilient. The HP Elite family, for example, has a range of powerful, built-in security features.
One relevant feature is HP Sure Click, which approaches secure browsing differently. Instead of just flagging dangerous sites for users to avoid, it also keeps malware, ransomware and viruses from infecting other browser tabs and the wider system. When a user starts a browsing session, every site visited triggers HP Sure Click. For example, each time a website is visited, HP Sure Click creates a hardware-based isolated browsing session, which eliminates the ability of one website infecting other tabs or the system itself.
Another way to head off spear-phishing is to look into a Device-as-a-Service offering. This is a modern PC consumption model where companies essentially lease their computing equipment, assuring they always have the latest and most secure gear along with constant, quality service and support.
Spear-phishing isn’t the only cyberattack vector small businesses need to be concerned about, but it is one of the most prevalent. With a modicum of awareness and investment in modern security tools, it is possible to avoid becoming victim to what has become an all-too-common threat.