According to a recent Osterman Research report, spear-phishing and ransomware attacks on businesses are on the up, with the majority of organisations – including SMBs – being victimised in the past 12 months. Unlike traditional phishing attacks, which typically broadcast spam to thousands of people, spear-phishing is a carefully crafted and highly targeted attack designed to lure recipients into downloading a malicious attachment, or clicking a link, writes Wieland Alge, pictured, VP and GM EMEA at the network and web security product company Barracuda Networks.
The cost of opening an email that appears to be from a known individual or organisation is high. This year a report by the Federation of Small Businesses estimates cyber attacks cost the UK economy around £5.26 billion, with 37% of small firms reporting they were victims of spear-phishing scams and 29% reporting malware attacks. With limited resources, time and expertise to deal with digital attacks, small businesses appear to be bearing the brunt of this form of cyber crime.
Spear-phishing approaches
By scouring online sources like LinkedIn and the corporate website, or phoning switchboards to ask for contact names and details, criminals will undertake research in a bid to identify specific details that will help convince targets the spoof email they receive is legitimate.
The aim of the game is to impersonate known personnel and lure recipients into verifying details or passwords via a malicious link, or opening an infected file. Worryingly, criminals are proving adept at exploiting the ‘fast response’ behaviours of employees – especially when working on the move or using instant messaging platforms.
Scammers are also using their social engineering insights to target CEOs and finance teams with ‘whaling’ scams – emails purporting to be from a supplier, overseas subsidiary or other known contact which request the immediate transfer of funds. In other cases, senior managers may receive an email designed to look like it’s been issued by a government agency in relation to unpaid taxes, fines or a customer complaint.
When it comes to accessing enterprise networks, criminals will focus on finding a ‘path of least resistance’ back door entry point. This is achieved by targeting spear-phishing campaigns at smaller suppliers and contractors, whose cyber security may be less advanced, to acquire the valid access credentials needed to silently enter the network and launch an attack – stealing data, defacing websites, installing ransomware or unleashing advanced persistent threats.
Minimise the risk
There are a number of best practices organisations can employ to protect themselves against spear-phishing and ransomware.
1. Educate users
Today’s attackers target the easiest point of network vulnerability – users. Email represents a primary threat vector for many attacks, yet many users suffer information overload and are less likely to scrutinise for phishing.
Security awareness training is a key area for improving protection levels and the findings from Osterman Research confirm that organisations with well-trained employees are less likely to succumb to a spear-phishing attack. Training needs to be conducted on a regular basis, highlighting how to deal with fraud or email compromise, good email behaviours and safe practices when surfing the web.
2. Monitor and prevent
Deploy systems to detect and eliminate phishing and ransomware attempts. Monitoring software should deliver full visibility, enabling IT teams to scan email inboxes regularly and pinpoint threats to a specific device. Preventative measures – including scanning for web app vulnerabilities and existing spyware and advanced threat detection tools – should also be undertaken. Finally, to ensure a rigorous damage limitation strategy is in place, review backup procedures to ensure data across all platforms is recoverable.
3. Secure your cloud
Adopting solutions designed to work in the Cloud ensures businesses are better able to protect their users, data and assets when using cloud-based productivity suites or other hosted services. These include heuristic scanning tools that seek out commands that might indicate malicious activity, and cloud-based system emulators that open and examine files in a sandbox to prevent systems from the risk of malicious attachments.
4. Keep systems up-to-date
Every application and operating system should be regularly inspected for vulnerabilities and brought up-to-date using the latest patches from vendors. Last year, Edgescan discovered that 63% of all security vulnerabilities could have been eradicated by simply applying security updates. Without the latest update, your data is simply not protected.
5. Implement robust policies
Detail thorough policies for the email, web, collaboration, social media and other tools deployed by the IT department, ensuring these include the legal and regulatory obligations to encrypt emails and other content if these contain sensitive data. Control or manage the use of personal devices that access corporate systems, ensuring that employees are aware of the tools and applications they should use when accessing corporate resources.
No organisation can afford to ignore the growing threat of targeted cyber attacks. The multi-vector nature of these threats means putting an end-to-end strategy in place is crucial to addressing spear-phishing and ransomware threats and reducing the chances of infection.
