According to Barracuda’s latest report, small businesses are three times as likely to be targeted in this way.
Their research shows that an employee who works at a small business with less than 100 employees is targeted 350% more often than employees at larger organizations.
Small businesses need to ramp up their security if they want to avoid financial loss, reputational damage, and potential lawsuits.
In this article, we elaborate on what spear phishing is, we consider how you can protect your small business, and we answer some frequently asked questions on this topic.
Table of contents
What Are Spear Phishing Attacks?
It’s estimated that by 2025, it will cost the world around $10.5 trillion every year. Unfortunately, this is a great incentive for criminals to create more sophisticated cons that will hook unsuspecting victims.
Today, spear phishing is one of the most popular attack techniques. A 2019 report by Symantec said that 65% of cyberattacks rely on spear phishing—and this percentage continues to grow.
Unlike traditional phishing, which targets masses of unknown individuals, spear phishing aims its deception at specific individuals or organizations.
Just like typical phishing, the goal is to create a legitimate-looking, yet entirely false, pretense to trick the victim into sharing their personal information which criminals then use fraudulently.
To understand this better, let’s have a closer look at both traditional and spear phishing:
Traditional phishing definition
Imagine that criminals found your personal email address in a leaked database on the dark web. They don’t know any personal details about you. However, they hope to con you by appearing to represent legitimate brands or institutions. They will often attempt to manipulate you with the promise of money or the threat of a lawsuit.
For example, you may receive a suspicious message or email claiming that you have outstanding taxes that need to be paid immediately. It says that the attachment will explain the details of your overdue account and that legal action will be taken if you don’t resolve this matter soon.
However, in reality, this attachment will install malware on your computer which will steal important information such as your credit card details and passwords. The scammer can then use this to make large withdrawals from your personal bank account.
Spear phishing definition
Spear phishing is a subtype of phishing that targets a specific person or a group of people with fraudulent messages tailored to them specifically. Attackers use social engineering to instil trustworthiness to the scam by using the victim’s name and information they know or guess about them, like the names of their coworkers.
Criminals usually get people's email addresses from company websites. Here, they can find your name, surname, and job title. They will try to use these details to convince you that their communication is legitimate and bait you into being conned.
For example, they may pretend to be from your HR department, requesting that you log in to your HR portal and update your information. This can appear legitimate, especially if they use your company’s branding and the name of an actual HR representative.
However, instead of linking you to the correct page, you will get sent to a lookalike that steals your password and gives them access to your company’s HR portal.
Just like classic phishing, the goal is to obtain sensitive information so that they can ultimately steal money from you—or even your company.
What Does This Mean for Your Business?
Hackers often target company employees through popular software, such as Microsoft Teams, as small businesses use this software often.
For example, you may receive a fake Microsoft Teams message claiming that you have unread notifications. But when you click through to the site, you are directed to a lookalike login site that steals your credentials and jeopardizes both you and your company when you unwittingly enter your username and password.
Your login details may provide fraudsters with access to sensitive banking information, passwords, and even trade secrets that they can leverage for a payout. Your access credentials can also be sold or used in a larger-scale attack.
In 2011, security firm RSA managed to fall prey to a spear phishing attempt when four of its employees were targeted by hackers. They received emails that contained a harmful attachment called "2011 Recruitment plan.xls".
Even though this email was sent to their spam folders, one of the employees retrieved it and clicked on the attachment. This then installed malware on their computer, giving the fraudsters full access to sensitive company information.
What Helps Protect against Spear Phishing Attacks?
Spear phishing attacks are particularly harmful to small businesses, because they don’t have the proper security resources and training to prevent spear phishing attempts.
You can take the following steps to ensure your business remains protected:
1. Make use of an email filter and a DNS filter
It can be difficult to determine the legitimacy of an email. However, by using email filtering software, you can reduce the number of illegitimate emails that land in your inbox. There are many free email filtering programs you can make use of online.
As a second line of protection, you should also have DNS protection. This is designed to reject access attempts to domains that are malicious and prevent you from landing on a lookalike website. This means that, even if your email filter fails, you will still be blocked from landing on dodgy sites.
2. Keep your systems up to date with the latest security patches
The spear phishing attack at RSA was possible because hackers took advantage of an unpatched vulnerability in Adobe software.
While you can’t control vulnerabilities in the software you choose to use, you can make sure that it’s up to date. This will ensure that new security patches are implemented. Since new versions typically include protection against the latest malware and scams, you will be more protected.
The best way to stay on top of this is to ensure that your system is set to install updates automatically. You can do this by navigating to your settings.
In addition, never install software from untrusted sources.
3. Encrypt any sensitive company information you have
Your company focus should be on encrypting two groups of data: personally identifiable information and confidential information regarding your business's intellectual property.
If you don’t protect your customers' and employees' personal information, your company may be held liable for negligent handling of personal information. This may even violate data protection acts such as GDPR, which may land your company in hot water.
You may also be at risk of losing important business secrets. This can have a devastating impact on your business and it’s best to encrypt your data to prevent this from happening.
4. Implement multi-factor authentication
When you sign in to Google from a new device, you’re often asked to confirm your identity by typing in a code that they send to your cellphone or recovery email address.
This is an example of multi-factor authentication, where a secondary device is used to double-check the legitimacy of a request. Even if spear phishers managed to get one of your strong passwords, they wouldn’t be able to gain access to your account without your cell phone.
Many applications allow you to enable additional authentication. Simply navigate to your settings and select multi- or two-factor authentication under your privacy settings.
5. Conduct email security training for employees
Make sure that both you and your employees are trained to spot spear phishing emails that might compromise your business.
Common giveaways of phishing include:
- Urgent tone
- Uncharacteristic greeting
- Mismatch between domain name and company name
- Unusual request
- Bad grammar
For example, let’s say your HR representative’s name is Sally Williams and you receive an email from firstname.lastname@example.org. At first glance, you may not notice that the email uses an “r” and “n” rather than the “m” in “Williams”, and you might click on a malicious link.
You should insist on regular training sessions on how to identify and avoid spear phishing attacks, and employees should be aware of how this can harm both them and the business.
Common Questions about Spear Phishing Attacks
Do spear phishing attacks only happen over email?
Spear phishing attacks often make use of bogus emails. However, spear phishers are equally capable of tricking you with social media, phone calls, text messages, and WhatsApp.
On 15 July 2020, a group of hackers took over 45 Twitter accounts of CEOs, celebrities, and politicians. They managed to do this by calling Twitter employees and tricking them into resetting their passwords. They then used the influence of these accounts to promote a Bitcoin scam.
In this example, the phone calls to Twitter employees were an example of spear phishing.
Where can I report a spear phishing attack?
If a spear phishing incident comes to your attention, you should report it to your company IT security.
Depending on their capabilities, they will analyze the attack and can blacklist the address, or, at the very least, warn the rest of the company and describe the scam message so that others can spot it too.
It is a good idea to warn the authorities of a new phishing tactic and help build reliable statistics on spear phishing attacks.
The authority you report this to will depend on the country in which you’re based. For example, if you’re in the United States, you will reach out to the FBI's Internet Crime Complaint Center (IC3) and, if you’re based in India, you can report it to their government’s anti-phishing unit.
How is spear phishing different from executive phishing?
A spear-phishing attack targets certain individuals or groups within organizations. However, executive phishing attacks specifically target high-level employees or business leaders.
They are often targeted because they have access to company funds and they have the authority to make wire transfers. Hackers often reach out to them with a customized email seemingly from their CEO instructing them to immediately transfer money to fight a lawsuit or acquire a new company. These emails often seem so real that many people have been tricked into transferring millions of dollars to criminals.
If you’d like to get more context about executive phishing attacks, have a look at this article where we go into detail about what it is and how you can avoid it at your own company.
How can I tell whether my business is at risk?
Any business can become a target. However, small businesses are considered the sweet spot. This is because such businesses are profitable enough to give scammers a decent payoff, but not big enough to consider online security a priority.
Keep Your Business Safe
Hackers are cunning and innovative. However, you may outwit them by installing reliable email and DNS filtering software, regularly updating your systems to ensure the latest patches are installed, and encrypting the sensitive data that your organization relies on.
To account for any human errors, you should make sure your employees enable multi-factor authentication and that they are properly trained on spear phishing attacks.
Running a business is challenging enough without being scammed by con artists. By deploying GoodAccess, you will have the peace of mind to focus on growing your business rather than stressing about online security.
GoodAccess offers a cloud VPN that keeps your whole team safe online–even if they work remotely. You can start with a 14-day free trial of our premium offer. You don’t even need to insert your credit card details to get started—just open a free account.