Rather than casting their net wide and hoping to get lucky, spear phishing scammers do their homework before specifically targeting your business.
There’s no shortage of malware and business security scams lurking in the shadows, but they’re usually not targeted specifically at you. Most bogus FedEx missed delivery notifications, phoney overdue delivery bills and fake ASIC renewal letters rely on the fact that they could apply to any business – hoping that someone, somewhere will click on the link or open the attachment before realising they’re being scammed.
Even if they’re not picked up by your spam filter, these generic scams typically aren’t too difficult to spot if you keep your wits about you. Scammers know they’ll only claim a handful of victims, but they’re playing a numbers game.
Spear phishing is far more insidious and much more difficult to spot because scammers choose their mark with care and then do their research. Rather than firing off a generic-looking bogus email, they’ll craft a convincing email that targets specific staff and often appears to come from a legitimate source such as a partner, supplier or customer.
Sometimes these emails might contain a malicious payload, whether it be ransomware or something more subtle like a keylogger sniffing for passwords. Other times the goal might be to trick you into handing over money via an international transfer, targeting a staff member who is authorised to make such transactions and may not suspect anything out of the ordinary.
Other times spear phishing emails are the first step of a multi-stage attack, gathering information for the next stage of their plan. It’s even possible that one of your partners, suppliers or customers is the actual target.
Spear phishing emails can even appear to come from within. Business Email Compromise scams involve scammers breaking into an email system and impersonating senior management, instructing subordinates to urgently transfer money or release sensitive business information.
Scammers bide their time, waiting for a day when the business is most vulnerable – such as when that senior manager is travelling and thus difficult to contact in order to query their unusual request for an urgent money transfer.
Technical countermeasures alone will struggle to keep your business safe if you’re the subject of a spear phishing attack. The best line of defence is internet security awareness training for those staff most likely to be the subject of targeted attacks due to their access to the finance system or sensitive business information. They need to develop an eye for detail and a healthy scepticism, while the business needs to establish clear protocols to ensure scammers can’t bypass security checks.
Business security on the internet isn’t just the responsibility of the IT team. It’s important that everyone in your organisation does their part to defend against scammers.