What is it?
An exploit in which an attacker, typically using email, attempts to trick a computer user into opening web links, entering personal information into a web form or fake website, or taking an action that allows the attacker to obtain sensitive information. Spear phishing targets a specific individual or group of individuals using personal information.
Why is it important?
Phishing and spear phishing are the most common attack methods for attackers to gain an initial foothold into an organization or obtain sensitive data.
Why does a business professional need to know this?
Email phishing is one of the most popular methods used by cybercriminals to trick users into taking actions that install ransomware onto their computing devices. In the first quarter of 2016, the cybersecurity researchers at PhishMe Research determined that ransomware accounts for 50% of all phishing email messages.
As of the end of March 2015, 93% of all phishing emails analyzed contained ransomware(PhishMe 2016). In the first quarter of 2016, the number of phishing emails hit 6.3 million, a 789% increase over the last quarter of 2015(Cofense 2016). Subsequent studies from PhishMe and other researchers continue to show the same trends.
With all the technical and administrative controls in place today, our cyberattacks are still growing at an alarming rate:
- 91% of breaches start with spear phishing
- Average time to identify a breach, 146 days
- Average time to contain a breach, 82 days
- The global average cost of a data breach, $4 Million(Cofense 2016)
Business professionals looking for a defense must familiarize themselves with the emotional triggers that persuade and convince users to interact with phishing messages.
These emotional triggers can be:
- The promise of a reward for interacting
- The appearance that the message comes from a respected person, such as a family member or a boss
- An appeal to curiosity
Phishing email attacks usually ask the recipient to click a link, enter data in a form, or open an attachment.
Because humans are the first line of defense against cybercriminals, we must educate our customers and co-workers so they can recognize malicious phishing attempts and report them to the appropriate authority.
- (Dearden 2017) Hackers target Irish energy networks amid fears of further cyber attacks on UK’s crucial infrastructure: Dearden, Lizzie (2017). Independent. Investigative report on how a spear phishing attack targeted senior Irish energy network engineers.
- (Cofense 2016) 2016 Enterprise Phishing Susceptibility and Resiliency Report: Cofense (2016). Examines the factors that lead to successful phishing campaigns and discusses how empowering employees to report suspected phishing incidents affects susceptibility. A 2017 version of this report, which reports similar results, is available at the same website.
- (InfoSec 2016) Top 9 Free Phishing Simulators: InfoSec Institute (2016). Describes several types of phishing simulators designed to help employees detect possible phishing attacks.
- (PhishMe 2016) Phishme Q1 2016 Malware Review: PhishMe (2016). PDF. Details malware trends recorded in the first quarter of 2016 and warns of dramatic increases in encryption ransomware attacks.
- (Wombat 2018) 2018 State of the Phish: Wombat Security (2018). An analysis of data from simulated phishing attacks. Registration required.
- (Northcutt 2007) Spear Phishing: Northcutt, Stephen (2007). Security Laboratory: Methods of Attack Series.