Targeted Spear Phishing: Modern-Day Whale Hunting
“Great Riches From My Deceased Uncle, Who Was a Famous Nigerian Prince…”
Most of us remember the overplayed “Nigerian Prince” phishing email that was circulating around back when dial-up internet was still the norm. We tell ourselves that we would never fall for something that obvious. Between the horrible grammar, the garbled email address, and the promise of “great riches from my deceased uncle, who was a famous Nigerian Prince,” it was difficult to fall victim. Not to say that it didn’t happen on occasion, but the success rate was nothing to brag about.
An astounding 91% of successful data breaches begin with a targeted spear phishing attack.
Today’s cybercriminals don’t want small fish. They want the big guys, and they have sharpened their techniques. Their phishing consists of targeting specific, high-value individuals – known as spear phishing. Picture a boat floating in the ocean, trolling for fish. But, instead of casting a wide net and catching some small fish, today’s cyber criminals are hunting a giant whale.
An astounding 91% of successful data breaches begin with a targeted spear phishing attack. Cyber-criminals must do their homework before launching a spear-phishing attack. They will leverage any personal details that they can find against you. With the rise of voluntary information sharing sites such as Facebook, LinkedIn, Gmail, Twitter, Instagram, among others, the amount of data they have at their disposal is staggering.
Fake Invoices? Huh?
Imagine that you own a furniture business and one of your suppliers is XYZ Upholstery Co. A cybercriminal might create a fake invoice from XYZ Upholstery Co and insert a malicious Macro into the attached Excel document. Once you’ve opened the document and enabled editing, the Macro goes to work and you’re infected.
It only takes one person in your organization to fall for this for the whole firm to become compromised.
The cybercriminal must invest more time into creating these types of specialized emails, but the reward is potentially much larger than with a generalized phishing attack. It’s important to educate your employees against the common red flags and warning signs of phishing emails, because this “human firewall” is your last line of defense against an attack.
Baseline Your Environment
Headwaters Group offers a simulated phishing attack to our clients where we “phish” your users. In short, we send the “fake” invoice and see who opens them. We provide a detailed monthly report that shows exactly which employees clicked on the links, what time they clicked, and their device type (PC, Mac, Laptop, or Table for example), along with other metrics. Employers learn quickly which of their employees are vulnerable to these types of attacks. Staff meetings become a whole lot more interesting. We assign monthly training modules that help them raise their individual awareness of current phishing trends. If you are interested in learning more, please schedule a call with our team today!