What Is Spear Phishing and Why Is It So Dangerous?

NetgainCybersecurity & Compliance, Financial IT, Healthcare IT

You’ve ordered a dozen times from Amazon, but one day you receive an email asking you to confirm the details of your recent order. The problem is that you haven’t ordered anything from Amazon in the past few weeks. Something just doesn’t seem right with the email, but it looks legitimate. This is a classic example of a phishing attack, and they’re alarmingly effective.

Hackers send out mass emails trying to lure recipients into clicking malicious links. The emails look like they come from reputable companies that you might have done business with (who hasn’t ordered something from Amazon?), so if you’re not careful, it’s easy to get tricked into providing sensitive information, and there are plenty of people who fall victim to these scams every day.

Phishing attacks are scarily effective, but an attack can be easy to identify if you know what to look for. And, if you didn’t recently place an Amazon (or a Walmart.com) order, it’s easy to spot a phishing email. Hackers don’t care if the attack doesn’t work on you, because there are still plenty of victims that fall for the attacks.

However, today’s hackers are getting more sophisticated. Whereas phishing relies on casting a wide net to catch a few fish, spear phishing involves identifying a handful of high-value targets and creating customized attack strategies to gain access. Organizations that store highly sensitive data like a medical practice and their patients’ medical records or an advisory firm and their clients’ financial information are often targeted in these spear phishing attacks because if they find a victim they can gain access to dozens or hundreds of records, not just one.

So, what does a spear phishing attack look like?

A spear phishing attack is often designed to be as inconspicuous as possible. Hackers will first do extensive research on their target victim. They might research the company’s executive team and their email address to find out who to set as the sender. Then, they might spoof the executive’s email address to send an email to a direct report asking them to review the attached budget spreadsheet.

Think about it. If you received an email from a superior or someone you trust with an appropriate request, would you think twice about opening the email and clicking a link?

What can you do to help protect your team? It starts with awareness.

Easier said than done in today’s fast-paced workplace, and since there is such a personal element to these attacks, it can be easy to fall victim. Train your team to treat any emails with links or attachments with suspicion. Does the tone of the email sound like that of the sender? Are you expecting them to send the attachment or link (do you and the sender have frequent budget conversations?)?  When you hover your mouse over the link, does the link preview look like a legitimate link?

Train team members to be hypervigilant, and encourage them to call the sender or stop by their workstation to ask them if they truly sent the email, before they click on anything,

When it comes to protecting your practice or firm’s sensitive data, an ounce of prevention is worth a pound of cure.