Unless you're an IT professional who lives in Hawaii, most of the time you say the phrase "spear phishing" when you're referring to an email that looks friendly but really contains malware. If you are an IT consultant in Hawaii… well, we're jealous.
Phishing emails are an old form of cyber attack dating back to early days of dialup and AOL. While there are more sophisticated ways for hackers to attack your clients, phishing persists. In fact, it's become more dangerous in recent years as hackers have been able to improve their methods by targeting specific victims (hence the name “spear fishing”).
On this blog, we've reported on the eBay data breach (see "eBay Data Breach Shows Danger of Phishing Attacks on Small Businesses") and a number of other spear phishing-related attacks that have occurred this year. The attacks are dangerous because of their simplicity and ability to target businesses of any size.
By using data from social media websites, spear phishers customize emails to target their victims. They'll figure out what vendors, payroll companies, or other third-party services victims use and send emails that look like they come from one of those trusted sources. In reality, the emails are spoofs, laced with malware that's ready to harvest private data from victims’ networks.
When those victims are your clients, of course, you could be in trouble.
How to Prevent Spear Phishing Attacks
In order to prevent spear phishing attacks, you need to understand not just how they work, but how the attacks have evolved over the last two years. To do this, let's look at some cyber attack statistics from Symantec's 2014 Internet Security Threat Report (PDF).
There's one particular piece of data that tells you everything you need to know: in 2013 there were 91 percent more spear phishing campaigns but 28 percent fewer emails. This indicates that cyber criminals decided that quality is better than quantity.
Since hackers customize spear phishing attacks, they can decrease their spam blasts and launch smaller-scale campaigns. In fact, since 2011, they've attacked fewer large businesses, setting their sights on small and medium-sized companies instead. Attack rates at small businesses jumped from 18 percent in 2011 to 30 percent in 2013.
This 12 percent increase in small-business attacks was mirrored by an 11 percent decrease in attacks on large businesses.
The takeaway? The spear phishing we see today is not the phishing of old. Now, hackers take data from social media and other sources to launch targeted, persistent attacks on small businesses.
Teach Clients How to Recognize a Phishing Email
With the 12 percent increase in spear phishing attacks on small businesses, IT consultants and project managers should renew their efforts to educate clients about email cyber security. Here are some points you should reinforce with clients as you teach them how to recognize phishing emails:
- Disguised domain names. When you visit a webpage like TechInsurnace, the URL begins "techinsurance.com." However, hackers can disguise a URL by adding a word or group of letters / numbers after it. For instance: techinsurance.121212.com looks like it will take you to TechInsurance, but really it takes you to "121212.com." Hackers set up spoof websites at these gibberish domains and use them to steal account information.
- Financial emails. Spear phishing emails have one important commonality: they always ask your clients for something. These emails ask clients to reset their passwords, send them information, or log in to a certain website. In fact, 71 percent of phishing attacks appear to come from financial organizations, like banks and payroll companies. Remind your clients to be extra diligent in these situations.
- Urgent subject lines. Symantec's report shows that the most common words used int he subject line of spear phishing emails are "Order," "Payment," and "Re:" – all titles likely to get people to open.
- Small businesses are in the crosshairs. We've said that 30 percent of all attacks target small businesses, but that doesn't tell you how many businesses are really affected. Don't worry, we have data on that too: 1 in 5.2 small businesses are at risk of being targeted in a spear phishing attack. That means the average IT consultant with 5 or more clients probably has at least one client who's been targeted.
- Spear phishing campaigns last eight days on average. Clients might not understand that a "spam email" is not a one and done thing. Cyber criminals send a number of emails over the course of a week, targeting an organization. The reason for this is obvious. After criminals repeatedly ask your clients to send them information, their requests begin to appear legitimate. Your clients think, "Oh, I guess this is a real email because the payroll company keeps sending me personalized requests."
When in doubt about an email's authenticity, clients can always pick up a phone and call the entity that appears to be sending it.
E&O Insurance: How to Cover Your IT Consulting Business from Spear Phishing Liability
Depending on the specific work they do, IT consultants can be liable for preventing data breaches from spear phishing and other email attacks. You'll need to take time to remind clients about their cyber security, using some of the points we outlined above to teach them what a phishing email really looks like.
While it's important to protect your clients, remember to protect your company as well. Errors and Omissions Insurance is an industry-standard way to cover your cyber liability. This insurance covers your business if it's sued after a client data breach or spear phishing attack. Starting at around $80 a month, an IT consultant can get $1 million in IT liability coverage. To learn more, visit our page on the cost of IT Insurance.