fishing reel and lures

Spear-phishing is a major threat to organizations of all kinds, large and small. The hacking and subsequent release of thousands of emails from a Clinton campaign official during the 2016 presidential election may be the highest profile example of the potential danger from this persistent cybersecurity threat, but it’s far from the only one.

In fact, studies have suggested that spear-phishing campaigns account for up to 91% of cyberattacks. Worse, a 2016 Verizon study found that nearly 30% of phishing messages were opened, up from 23% in 2014. An investigation by reporters from the tech site Gizmodo in May 2017 found that members of the Trump administration were willing to click on fake Google Docs links from a patently false email address.

How to Tell When an Email Smells Phishy

Spear-phishing is a more targeted–and potentially more dangerous–form of the classic phishing scam. But where the phishing attacks of yore generally sought to collect any information they could gather from anyone, spear-phishing attacks are aimed at specific organizations and even certain individuals. These attacks can be used to access sensitive systems and make off with customer data or trade secrets, but they can also be used to install regular old malware and ransomware.

Unlike other methods of cyber-intrusion, spear-phishing doesn’t rely on technical vulnerabilities–the weak points are members of the organization itself, a lesson many organizations, including Sony, Anthem, and Target have learned the hard way. (These sorts of attacks are referred to in the security world as “social engineering.”)

In general, spear-phishing emails share these characteristics:

  1. They appear to come from a trusted source, like a credit card company, PayPal, Amazon, Google, the U. S. Postal Service, or the IRS.
  2. They urge the victim to “confirm” their user information or “update” their password by clicking on a link to an external website, often using a disguised URL.
  3. They warn that if action isn’t taken within a certain amount of time, the victim’s accounts may be disabled.

In the last several years, however, a newer and much more sophisticated method has emerged, one involving bogus Google Docs. These attacks take the form of invitations to view or edit a Google Doc. Worse, they appear to come from people the victim knows. When the victim clicks on the malicious link, they’re taken to a legitimate Google login portal. The evil genius of this particular scam is that it uses a simple web app that’s designed to look like Google Docs and is named Google Docs, and uses the regular Google portal, meaning the normal tricks for identifying a phishing attack (looking for fake URLs and domains, for example) won’t work here.

Once the victim logs in, they’re redirected to a third-party web app that looks exactly like Google Docs and asks for permission to manage the victim’s Gmail account. Once the victim gives permission, the malicious web app will take over the victim’s email account, sending more bogus invitations to everyone in their address book. These attacks can be so hard to spot that even the professional tech writers at TechCrunch fell victim, along with the BBC, BuzzFeed, and multiple government agencies and universities.

IT Goes Phishing at Work

So how should organizations respond to this threat? Partly in response to their own hacking during the 2016 election, the Democratic National Committee has turned to an increasingly popular method of training employees to recognize and avoid phishing emails: They’re actively phishing their own employees.

Simulated phishing attacks generally have one or two goals: To train users to avoid real phishing attacks in the future, and to help the organization understand their security vulnerabilities and develop solutions. Depending on the organization’s goals, there are lots of ways to go about conducting phishing simulations. Some IT departments may plan and conduct their own phishing simulations, but it’s also common for organizations to turn to third-party software and services.

At one end of the spectrum are a number of free or open-source tools that enable you to create a simple email and send it to a number of recipients from a specified email server. These tools typically offer few educational or reporting features. At the other end are fully managed SaaS platforms that come with customizable campaigns, interactive training modules, and extensive reporting tools. Some of the most popular options in the latter category include products like PhishMe, KnowBe4, Wombat, PhishLabs, and SecurityIQ PhishSim.

Tips for a Successful Phishing Expedition

Just because you’ve succeeded in tricking your employees does not mean you’ve succeeded in preparing them to spot future attacks. As with any type of training, there are right and wrong ways to go about it.

Getting phished does not feel good (this writer knows from experience) and getting phished by your own company can potentially alienate employees, precisely the people you’re trying to bring over to your side. So how can you make sure that your employees and staff members get the message and know what to look out for in the future?

Sometimes IT only sends out instructions or advice well after the actual simulation, but this may be a mistake. People who conduct simulated phishing attacks for a living say a successful simulation makes a direct connection between the action and the response. Scott Greaux of PhishMe advises that feedback should be “immediate, actionable, and constant,” otherwise the benefit of the exercise may be lost.

It’s also important to be able to accurately gauge and measure your organization’s progress. That’s why KnowBe4 advises organizations to conduct an initial phishing test to establish your organization’s baseline vulnerability. That way, you can develop targeted strategies to identify and address specific vulnerabilities.

One last thing to keep in mind: phishing testing should not be a one-off exercise. Keeping your organization prepared is an ongoing concern, which is why it’s important to conduct periodic tests. Remember: the point is not just to catch your employees making mistakes, but to help them develop strong habits when it comes to email security.

Hire a Security or Social Engineering Expert

Want to learn more about organizational security? Check out our articles on two-factor authentication and penetration testing for more tips on how to protect your business from cyber attacks. You may also want to consider hiring a skilled internet security expert who can help you identify weak points in your IT infrastructure and develop strategies to address them.