The hackers that breached the Democratic National Committee and Hillary Clinton’s presidential campaign used targeted phishing. And the next victim of an attack like this could be you.
In targeted phishing attacks, cybercriminals send tailored emails to specific users to try and lure them into clicking on malicious links or attachments containing malware. As soon as this malware is let loose, there’s no telling what damage it can do – and fast.
Read on to learn more about these attacks and how to stop them from affecting your users.
A step up from spam
Have you ever received an email from a sender claiming that you have just inherited a large sum of money?
Phishing has evolved since the days of unclaimed fortunes. Today’s targeted phishing, or spear-phishing attacks, include emails tailored to specific businesses or individuals.
Imagine you’ve ordered something from an online retailer. Later, you receive an email from that retailer informing you that something has gone wrong with the transaction. The sender asks you to click on a link to fix it. Big mistake.
In another scenario, you receive an email at work with a seemingly innocent attachment, such as an invoice. The logo, fonts, email addresses, and even the link you’re being asked to click on could well look genuine. But, lurking behind the scenes is a malicious program ready to infect your network.
CEO or cybercriminal?
According to recent research, Business Email Compromise (BEC) scams rose dramatically in 2016.
BEC scams, also known as CEO fraud, rely on targeted phishing emails. Attackers send emails to employees pretending to be the CEO or senior management, requesting that they transfer large sums of money.
Requiring little expertise and with substantial financial rewards, it is not hard to see why BEC scams are a favorite of attackers and pose a massive problem for businesses.
Unbelievably, over 400 businesses were targeted with BEC scams every day in the first six months of 2016. Malicious emails with simple headlines like “Urgent” or “Request” were sent Monday to Friday.
What harm can a Word file do?
What type of file do you think is most commonly used as a delivery mechanism for malware?
Surprisingly, in 2015, hackers used the Microsoft Office file type .doc in over 40% of attacks and .xls in 6%. Executable file types were also a popular choice for attackers, used in 36% of attacks.
How to protect your data from targeted phishing
Attackers only need to succeed once, but you need to protect your accounts from every challenge.
And while hackers can focus all their attention on accessing information without authorization, you also have a business to run.
The four essential tips below should make securing your site a little easier.
1. Train your employees
Employees who recognize, avoid and report emails that don’t appear to be legitimate are a phenomenal resource.
But for them to be able to do this, they need training and information. Make sure each employee is acutely aware of the data under their care – and why it is valuable to attackers.
2. Use multi anti-malware scanning to your advantage
Conventional antivirus and anti-spam software detects isolated known threats, but fails to recognize targeted phishing attacks.
Multi anti-malware scanning programs use multiple anti-malware engines. This provides multi-layered protection that identifies many more types of malware.
3. Choose your attachments and links wisely
As we’ve mentioned, a lot of targeted phishing uses harmless-looking file formats like .doc.
If you’re worried about targeted phishing, you can change the format of attachments in incoming emails. This removes possible scripts and other threats that might make it past your antivirus engine. For example, you can turn word documents into PDF files.
To make it even harder for malware to spread, block potentially dangerous attachment types like .exe and scripts.
Since links to malicious websites often look authentic, don’t use links in emails to access a site unless you know that it’s the real thing. Typing URLs straight into the address bar is a quick and easy way to make sure you get directed to a genuine website.
4. Encrypt, encrypt and encrypt again
If all else fails and a targeted phishing attack succeeds, make the information that the attackers gain access to a challenge to decipher. In other words, encrypting your data protects it when your other security measures fail.
Just by reading this blog, you’ve already taken the first step towards keeping your data more secure. When you acknowledged the risk, you can act to protect yourself, your business, and your users.