A new survey has shown spear-phishing to be keeping IT professionals up at night. Carried out by Cloudmark, the project surveyed 300 IT professionals on their experiences with the targeted form of credential grabbing and found that spear-phishing is larger threat than one might expect. The findings are stark.
A study of 150,000 phishing emails by Verizon partners found that 23 percent of recipients open phishing messages, and 11 percent open attachments. One in 10 people opens an attachment when they have no idea what they’re opening !
And it happens fast: It takes an average of 82 seconds from the time a phishing campaign is launched, until the first person falls victim. And this isn’t just phishing in people’s Gmail accounts. It’s happening on sensitive business and government accounts where the targets should theoretically know better.
Nearly three-quarters of those IT professionals interviewed feel that spear-phishing poses a significant threat to their organisation and more feel that threat is going to grow. Nearly half, 42 percent, put spear phishing within their top three security concerns.
Phishing attacks cannot be prevented by technology. It’s a people thing. Education and awareness is the only way to prevent an attack of this nature.
How to avoid a phishing attack.
1. Asking for Personal Information is a Red Flag
Few (if any) websites, banks or businesses will ask you for confidential personal information, or financial information, in an e-mail. If you receive an e-mail requesting you to supply this information, you should treat the request with suspicion.
2. Check the Sender’s E-Mail Address
The first phishing giveaway is often the sender’s e-mail address. Even if the e-mail itself looks legitimate, that address often stands out as being questionable. For example, if you receive an e-mail from Apple and the sender’s address is AppleSupport765@hotmail.com, this is clearly not really from Apple.
3. Watch for Links and Attachments
The objective of a phishing attack is usually to get you to download an attachment, or to click on a link. Use extreme caution with attachments –they can be disguised malware that will infect your PC. Don’t click links within an e-mail that you are at all suspicious of. What looks like a legitimate hyperlink can be a disguised link to a criminal website. When in doubt, hover your mouse over the text of the hyperlink (you should see the full URL, which will help to show whether it leads to a legitimate website) or better yet, open a browser window and manually type in the hyperlink yourself to prevent it being re-directed.
If you receive an e-mail from someone you know, with apparent nonsensical or out of character text, don’t click on anything. In all likelihood, their e-mail account has been hacked and all of their contacts are now targets of a spear phishing attack.
4. Typos Are a Red Flag
For some reason, cyber-criminals seem reluctant to invest in copy editing. One of the easiest ways to spot an e-mail sent as part of a phishing attack is typos. Most that I receive are full of spelling errors, poor grammar and syntax, and ugly text layout.
5. When In Doubt, Contact the Supposed Sender
Sometimes the bad guys pull things together and manage to generate a spear phishing campaign that’s really difficult to detect. The e-mail appears to come from a legitimate source, it references something that could be legitimate (like a recent purchase you made) and it’s polished and official looking. If you’re not expecting this e-mail, pick up the phone and call the originating company’s customer service, or send an e-mail directly to their customer service to verify they sent it.
6. Install Security Software and Be Smart About Passwords
As an added layer of defense, security software is never a bad idea. Some Internet security packages have a feature that automatically detects and blocks fake websites, adding a failsafe in case you accidentally click on link you shouldn’t. And it goes without saying that you should be using a unique password for each website where you are required to log in. If you’re a phishing victim, this can help to contain the damage.
If you follow these steps, you will minimize your risk of becoming a spear phishing victim. (Forbes)