How to blunt spear phishing attacks

According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened a file that they weren’t supposed to.

For example, Chinese hackers successfully broke into computers at The New York Times through spear phishing. So, what are the steps that IT execs can take to protect enterprise networks from spear phishing?

Most spear phishing attacks take one of two tacks – they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information….or else.

While regular phishing typically involves unsophisticated mass mailings, spear phishes can appear to come from your own IT department, from your own payroll department, from a friend or colleague.

Here are some tips on how to teach employees to avoid getting spear phished.

1. Read the return url backwards, from right to left. The url might start out with “www.bankofamerica” but when it ends with 120 characters of jibberish, you might start to get suspicious. You can also place your cursor over a link in an email and will see the actual url it will take you to – DO NOT CLICK ON IT, you just hover over it to see if it matches www.bankofamerica.com.
2. Don’t fall for what’s being called the “double-barreled phish,” in which you respond to the email with a question, such as “Is this really my buddy Jim.” Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, “Yes, it’s me, Jim.” Of course, it isn’t Jim.
3. Never open a PDF from someone you don’t know, since spear phishers are now hiding their malicious zip files inside seemingly innocuous PDFs.
4. Never give out your password or other personal/sensitive information in response to an unsolicited query.
5. IT managers should consider training classes targeted specifically at spear phishing.

PhishMe is one of several companies that offer a SaaS-based program whereby IT groups can send fake spear phishing emails to employees and then measure the failure rate.

PhishMe customers are often stunned to find failure rates – in other words, the percentage of end users who click on a spear phish and enter a password – in the 80% range.

The way PhishMe works, when an end user falls for a phish, a giant flash card appears on their screen announcing that they’ve been phished and detailing what they did wrong. The company offers pre-built phishing templates and customers can also customized their spear phishing emails.

Customers receive reports on the success of the spear phishing training program down to the individual end user. He says some companies might take punitive action against an employee who repeatedly clicks on fake phishes, while other companies are using gamification to reward good behavior and to keep people on their toes.

They also noticed when companies stop the training programs, employees revert back to their old behavior, so it makes sense for companies to make anti-spear phishing programs a way of life.