Rarely a day goes by that there isn’t an organization or government entity that falls victim to a phishing attack. Many phishing attacks do not target specific companies or individuals and do a wide sweep to catch anyone they can in their net.
However, according to the SANS Institute, 95% of successful attacks on enterprise networks take place via spear phishing. These attacks use social engineering techniques to trick specific users into believing the person or entity they are emailing is legitimate. For example, they may think their message is going to a business they are currently working with or to a superior.
A great example, or should we say a bad one, is the case of Ubiquiti Networks handing over $40 million to fraudsters in the summer of 2015. The networking equipment company revealed that its finance department was a target, resulting in transfers of $46.7 million held by a subsidiary in Hong Kong to third parties overseas. The supposed executives used spoofed email addresses as well as look-alike domains.
BenefitMall is another company that suffered negative repercussions of spear phishing. This particular attacker stole an employee’s login credentials, thus gaining access to the business’ website and leaking consumer information, which included everything from bank account details to sensitive insurance information. BenefitMall worked with more than 20,000 trusted advisors and 200,000 small businesses, so to say that their reputation suffered severely is an understatement.
What to Expect from a Spear Phishing Email?
The attackers’ messages often include urgent explanations as to why sensitive information or a money transfer is needed. In other cases, the recipients will be asked to open a malicious attachment or click on a link leading to a website that will subsequently copy their login credentials, account numbers, PINs, and access codes. A great example of this is a message redirecting someone to what looks like their legitimate Google account login page.
The problem with spear phishing, and why it is so incredibly successful, is that these schemes can be very difficult to detect. People often don’t pay careful attention to the URLs or addresses, especially when the message appears to be from a superior or business partner. The unfortunate reality is that, according to Intel, 97% of people are unable to identify sophisticated phishing emails.
Preparing Your Client’s Staff
Employees can be the weakest link when it comes to spotting scams. Fortunately, that doesn’t have to be the case. Increasing your clients’ overall security awareness can go a long way in protecting their organizations. Keeping their staff up to date with the latest threats is critical as attackers constantly change tactics and share details on the latest email schemes so everyone knows what to look for and how to avoid being duped by these schemes.
Emphasize the need to check sources. Banks and reputable organizations your clients work with will never ask for passwords or personal information via email, and it’s highly unlikely anyone else will inquire about those credentials online. Email users should question every message with these types of requests. If there is any doubt, they should call the other party directly to confirm the message. Better yet, have them call your team to report the suspicious activity and validate the message.
Also, remind clients to avoid clicking links in emails: Instead of opening URLs from messages, even if they appear to be from a known source, suggest they visit the known website directly from their browsers. Recommend they add bookmarks to regularly visited websites to speed that validation process.
Implement email security: The ability to quarantine spam, viruses, and malware with email security can make it that much easier for your client’s staff to spot and stop potential attacks. This technology is absolutely necessary for every business and should be part of the basic offering for every MSP today.
Enhanced data security is another “must do” for your managed services clients. While we’d love to believe that keeping a close eye on the emails we receive and implementing preventative technology is enough, at the end of the day, there will always be end users who get duped by phishing attacks. Combining user education and data security best practices will help prevent data loss when those situations occur.
Phishers are constantly on the prowl, which means your clients need to be on constant watch. Make their job a little easier with the all-encompassing email security protections that Mailprotector offers. Ready to get started? Visit our partner page to learn more: https://www.mailprotector.com/partners/