Spear Phishing: The Three Major Types of Attacks, and Best Practices to Counter Them

Also, scammers have become increasingly more sophisticated in their approach and techniques— they now use advanced social engineering tactics, and, vary and personalize the content of their emails so well they easily slip through spam filters.

Business Email Compromise (also referred to as CEO fraud, whaling, and wire-transfer fraud) represents only 6 percent of spearphishing attacks but has incurred US$12.5 billion in losses since 2013, according to the FBI. In most business email compromise attacks, scammers impersonate an employee within the victim’s z organization, and use spoofing, social-engineering tactics, and compromised accounts to get what they want, which range from sensitive financial and personal information to having a wire transfer made. Business email compromise scammers are among the most sophisticated cybercriminals today. Their attacks are carefully designed, targeted, and few, so they will not be zrecognized as spam. They are launched from email services with high-reputation scores so that they can go through security gateways easily. They contain no malicious links or attachments, so they are very difficult to detect and block with traditional email security. They come from legitimate (but compromised) accounts, and use domain and display-name spoofing, so they look more authentic to the victim. And to top it all off, scammers in this class use advanced social-engineering tactics to appear even more convincing to the victim.

WHAT YOU MUST DO: 8 WAYS TO COUNTER SPEAR PHISHING

According to our experts at Barracuda, every business should consider employing the following best practices to protect itself against attacks by the most sophisticated and resourceful cyber criminals today.

• Do not rely solely on traditional email security that uses blacklists for spearphishing and brand-impersonation detection. They do not sufficiently protect against attacks that use “zero-day” links, which are often hosted on domains that have either been inserted into legitimate websites or never been used in previous malicious attacks.

• Take advantage of artificial intelligence (AI) to counter spearphishing attacks of the business email compromise, brand impersonation, and sextortion varieties. Use purpose-built technology that does not solely rely on looking for malicious links or attachments in an email but leverages machine learning to zanalyze normal communication patterns within the zorganization and spots anomalies that indicate a possible attack.

• Deploy account-takeover protection. Use technology that leverages AI to recognize when accounts have been compromised and remediates in real time by alerting users and removing malicious emails sent from compromised accounts.

• Implement DMARC (Domain Message Authentication Reporting & Conformance) authentication and enforcement to help stop brand hijacking and domain spoofing (which is often used in impersonation attacks), and DMARC reporting and analysis to set enforcement.

• Use multi-factor authentication–such as an authentication code, thumbprint or retinal scan–to add layer of security to the username and password.

• Educate users about spearphishing attacks so they can zrecognize fraudulent emails and know how to report them, and have procedures in place to confirm requests that come in by email, including those that involve making wire transfers and buying gift cards.

• Conduct regular searches to detect emails with content known to be popular with cybercriminals, including subject lines related to password changes and security alerts.

• Ensure emails containing confidential, personally-identifiable and other sensitive information never leaves the company, with the right combination of business policies and technologies.

Check out: Top Managed Security Service Companies in APAC