Steps to Prevent Spear Phishing Attacks
Over the past few weeks, Winxnet Security experts noticed a rise in spear phishing attacks. Phishing is a method hackers use to gain authorized access to company resources. The most common method of a phishing attack is email, but it can occur by phone or by person. Recently these attacks have been more sophisticated and don’t have bad English, low quality graphics or obviously suspicious links. Sometimes these messages look identical to legitimate messages, making it more difficult to identify as a hack.
This increased effort and sophistication is a disturbing trend. However, there are always plenty of red flags that a well-trained and vigilant staff can spot. While this post can’t replace the results a business would see from dedicated awareness training from a security professional, here are some of the common attributes of these social engineering messages to help you identify the signs of this type of attack:
- Any time you read ‘wire money’, stop. It is very likely a scam.
- Urging to communicate only via email and excuses why there is no personal contact possible.
- Email address. The hacker must receive the reply message, so the “From” or “Reply to:” field will not be a real one. Watch for spelling of the domain name, as sometimes the differences are subtle.
- SUBJECT IN ALL CAPS. The goal of the attacker is to make the message sound more urgent, and, especially if combined with a call to action, is a definite reason to doubt the message validity.
- Bad grammar and excessive use of exclamation points.
- Lack of ‘normal’ look and feel of the internal message (not a reply in a thread, no signature, etc.)
The best defense for this type of attack is user education. Almost all security issues begin with human error. Computers don’t make mistakes, people do. Businesses of all sizes need to build their information security program now to help keep employees involved and educated about IT security.
If you feel as though you don’t have a strong understanding of IT Security and how to build an information security program, then it’s time for a conversation with our Managed Security Services team.