Do you have a spear-phishing problem? More importantly, would you even know if you did? And how would you deal with an incident? I ask these questions because the number of spear-phishing attacks continues to rise and the tactics used by attackers are evolving to become ever more targeted and to evade even the best of defenses.
Yet I still see an alarming level of naivety and complacency about the threat that spear-phishing poses to organisations. Many people still think of the threat as just the stereotypical scam phishing emails that are picked up by email security gateway filtering.
Targeted attacks on the rise
The reality is very different. Recent Barracuda research looked at more than 2.3 million spear-phishing attacks targeting 80,000 organisations worldwide over three months last year. It shows that targeted spear-phishing attacks are growing in volume and complexity, as is the impact they have on businesses. In particular, there is an increase in more targeted and subtle tactics such as brand impersonation, conversation hijacking and business email compromise (BEC).
BEC, where hackers impersonate an employee, vendor, or other trusted individual, is one of the fastest-growing spear-phishing tactics. These are up from 7% of all spear-phishing attacks to 12% at the end of 2020. Usually, the goal of these types of attacks is to establish trust and get a response from the victim rather than just getting them to click on a malicious URL – as seen by the fact only 30% of BEC attacks include a URL.
Once inside, the hacker can use a compromised email account to legitimately communicate around that organisation and convince people to take action on items, such as transferring money to an illegal bank account.
Inside a spear-phishing incident
Take the example of a company I went to see that was convinced it absolutely did not have a spear-phishing problem. No way, not at all, not us. Using our email threat scanner we found some alarming results that showed the true scale of the company’s problem.
A company email account had been compromised by a spear-phishing attack several months earlier. The attacker then sat within that email account and interacted undetected with suppliers to have invoices paid to different bank accounts. The attacker had managed to get into over 15 different email accounts within the company through a lateral movement – where an attacker uses a compromised email account to target other users internally within an organisation. These attacks are especially difficult to detect because they come from internal, legitimate email accounts and appear to be from a trusted colleague.
It’s an example of how spear-phishing can have a big impact on the business and this is by no means an isolated incident.The types of attacks is to establish trust and get a response from the victim rather than just getting them to click on a malicious URL – as seen by the fact only 30% of BEC attacks include a URL.Click To Tweet
How to respond and tackle the threat
The all-important question is how best to defend against this increased spear-phishing threat and how to respond to incidents that will inevitably evade defences and creep in under the radar. The fundamentals are good inbox defence and incident response but there are three other critical elements:
- Zero trust network access control
The purpose of a zero trust environment is to limit the scope of what or who can access your environment. Having zero trust access control means that even if an email account is compromised by a spear-phishing attack, a hacker can’t use that account as a springboard to other accounts and parts of the organisation. This means not just access control to your internal network but also to your cloud applications, such as Microsoft Office 365, which is essentially wide open to the world unless you tie it down with proper controls.
- Multiple layers of email security
Defence in depth is a commonly used term but it is one of the most effective ways to tackle these threats. For email, this includes the all-important email security gateway as well as newer tools such as inbox defence and spear-phishing protection. A lot of organisations still don’t have those additional layers or are under the misconception that their email security gateway does it all (it doesn’t, by the way).
Your staff are a key part of your security defences so make sure they are aware of spear-phishing risks and that they have them top-of-mind every day. Train staff to recognise and report attacks and to understand the impact they can have on the organisation. Don’t treat security awareness training as a once-a-year box tick. You need to be continuously educating and putting them through simulated attack exercises, as well as general awareness through posters on walls and banners on corporate intranets. Train staff to recognise and report attacks
Steven Peake is a technical engineer at Barracuda where he engages with end-users and partners to deliver solutions to solve their business security and data protection needs. Steve has worked in IT for over 16 years 10 of these in Senior IT Management roles delivering support, infrastructure and security services for a UK wide group of companies, including performing outsourced services to the Legal and Insurance sectors as well as the NHS.