Amongst the top threats noted, phishing and spear-phishing are at the top of concerns about security breaches. Phishing is the illegal attempt to acquire sensitive information such as usernames, passwords, and credit card details for malicious reasons, by masquerading as a trustworthy entity. A hacker will send emails to several email addresses, usually at random, appearing to come from a reputable and recognizable establishment. The receiver will open the email, believing it to be a legitimate email and perhaps click on a link or download a file, which will then be used to target the computer for malware or to trick the user into entering personal details.
Spear-phishing is essentially the same thing as phishing, except that the emails target certain companies or individuals within that company. Usually, a spear-phishing email will appear to come from a company that the targeted company does business with or from an executive within the targeted company itself. Spear-phishing is effective because most of the time the email seems to be from trusted sources. Typically, employees never second-guess opening them.
Why are Hackers Phishing and Spear-Phishing?
Phishing and spear-phishing are popular because they work. While it’s hard to get someone within a company to download and install an unknown program, it’s easy to get someone to open an email, especially when the email is from a seemingly trusted source. Many people are under the assumption that if you don’t click on anything, then there is no way to get infected, but that’s not necessarily true. Often a phishing email will be sent with a script that automatically runs when the email is opened, requiring you to do nothing but open the email to get infected.
How Can I Prevent Spear-Phishing From Compromising Our Security?
Some email programs, have complex spam filters that discover these malicious emails before they get to the inbox. For example, anybody with a basic knowledge of email headers can easily mask the email address to make it appear to come from somewhere else. Spam blockers will see this mask and flag the email as spam. If an email appears to come from someone important or trusted, but ends up in your spam folder, the user should be extremely cautious about opening it.
Of course, having a good antivirus program installed on all computers in your company is vital to securing your company’s data. This is often not adequate to ensure complete protection from possible attacks. The best method your company can use is educating the end users of the potential dangers and having a policy in place for dealing with emails with attachments or links. One such policy might be to always forward any email containing an attachment to the IT security administrator.
Security is a growing concern in 2015. It may be necessary to increase your security budget to combat this threat. Being aware of how the malware gets into your system and what to watch for in order to minimize infestations may not be adequate to survive this era of increased security breaches. Education and information is paramount to protecting your company from unauthorized breaches of security and the more you have in place, the less likely you will fall victim to an attack. Consider contracting with a security company that specializes in cyber security, IT security, and network security to maximize your company’s protection against phishing.