Navigant's Cyber Risk and Information Security PracticeLearn More


Targeted “Spear Phishing”: Here’s Why You’re at Risk14 April 2015

Employee Training, IT Security

Technology pervades every aspect of our professional and personal lives. So it’s no wonder that criminal organizations have been working hard over the years to refine their techniques to steal sensitive information from unsuspecting individuals. This information can be used for criminal activities that include identity theft, corporate espionage, financial theft, extortion, etc. Security technology is constantly improving in an effort to stay in sync with the hackers’ latest attack vectors.

But even the best technology is not enough. Despite heavy investment by organizations in security related technology, the weakest link in an organization’s security remains its employees. Humans are prone to make mistakes and hackers know that.

One of hackers’ most effective tools is the “phishing” attack, which takes advantage of human nature to trust people. Phishing attacks also take advantage of the general lack of technical and social engineering knowledge that most individuals possess.

Phishing is the attempt to electronically collect sensitive information by pretending to be a trusted entity. Typically this is in the form of an email from an organization that the email recipient believes is legitimate. In reality the email is from a hacker trying to gain access to their sensitive information which may include personal or business data.

A specialized form of phishing is called “spear” phishing. Spear phishing is a targeted attack on key individuals at an organization, or sometimes specific organizations. The thought is that these individuals likely possess highly sensitive information and therefore are higher-value targets. Typical targets of spear phishing include executives in sensitive positions.

These are the same types of individuals who frequently use social media sites such as LinkedIn and Facebook, and hackers use social engineering techniques to gather information about the individual targeted.

But social media sites are not the only sources of information that can be used in spear phishing. Another very effective information gathering method is good old-fashioned dumpster diving. You can create a good picture of an individual’s personal interests by looking through their trash. Walking around a neighborhood, one can quickly see who likes golf, who just bought a new TV, or who just had a baby by casually looking at the trash in front of each home. If you just bought new golf clubs or golf shoes maybe an email offering you a free round of golf might entice you to click a link that installs a piece of malware. Or maybe the link takes you to a website that looks like a legitimate golf course but in reality it was setup to collect your information when you “register” for your free round.

The most effective way to protect your organization from a phishing attack is employee education. Raising their awareness and arming them with the information they need to recognize threatening emails is critical. Humans are trusting by nature, but armed with the right information they can be a valuable defender of an organization’s information assets.

Here are some key things your employees should know:

  • Do not click links embedded in emails
  • If an email is requesting information such as account numbers, contact information, etc. call the sender to validate the request before providing any information
  • Do not open attachments unless they are from a validated and known source.

Another effective method for raising awareness is through simulated phishing exercises that include all of the steps of a criminal phishing attack with the exception that it is performed by a member of the security organization or a security consulting firm. The purpose is to expose areas of weakness and to clarify for employees how easily they can be victimized. This simulated attack, along with training, can significantly improve the weakest link of any organization’s security defense posture.

Comprehensive Applied Security Solutions (COMPASS) has developed a methodology that deploys the latest technology and data-protection best practices to perform comprehensive assessments — including simulated phishing attacks and employee awareness training. This methodology enables our clients to cost effectively address their cyber security needs.

In today’s hyper-connected world, every organization is just one data breach away from being a leading story on the news and social media, which can severely damage its reputation and brand. Find out how to protect your institution. Contact COMPASS to learn more about our methodology and service offerings and how they can help your organization develop a robust cyber security ecosystem.

Work With Us Learn How