IT Technology

Spear Phishing: What it is and How to Stay Safe

Written by James Mawson

Are you sick and tired of your email address being smashed with obvious scam attempts?

You know the ones I mean. They claim to be from someone reputable – like eBay or Netflix – and try to get you to click a dodgy link by offering some kind of generous reward or warn of some immediate physical or financial danger.

You can spot most of these scams on first glance because they pretend to come from businesses you have no dealings with.

But even when you do, you tend to notice when they don’t greet you by name, but with something like “dear customer”. That’s usually enough to make you suspicious enough to look closely at the email address and see that it’s from a completely different domain.

These obvious attempts to scam your passwords are annoying as all hell.

And yet, some of the newer and more sophisticated email scams are so diabolical, you could almost feel nostalgic for the old ones.

It’s Called Spear Phishing and It’s Fiendish

These old-school email scams might not fool all that many people, but the scammers made up for it by blasting far and wide. If it took a million emails to score a hit, then that’s how many they’d send.

But the general public has gotten a lot more sophisticated at spotting bulk email scams, and spam filters have become more and more aggressive about filtering out bulk email.

Spear phishing turns this scam upside down. Instead of blasting the same email at a zillion addresses, the scammer carefully researches an individual and constructs a custom-tailored email just for them.

If all that a scammer can learn from you is your name, that’s still a very persuasive way to convince you that an email is legit. After all, that “dear customer” is usually the first thing to make you suspicious.

But spear phishers can go a lot further than this. They can research your social profiles and your marketing to figure out who you are and what you do to come up with the perfect bait – the ideal client, an invoice you are owed, or a resume for a job you just advertised. They can even impersonate your real-life customers and business associates.

These emails can be so difficult to spot that sometimes even security professionals get stung. And the more successful you are in business, the more likely you are to be targeted.

What Can Go Wrong Here?

Spear phishing works by tricking someone in the office to open an attachment or to click on a URL.

Most of the time, the aim here is to infect you with malware, such as a ransomware that encrypts all your data, or a cryptojacker that sends your power bill through the roof by hijacking all your processing power to mine bitcoins.

It can also be a way to direct you to a fake login page to harvest passwords or credit card details.

Others are looking for remote access to your machine to steal your data or log your keystrokes, perhaps for use in a more elaborate scam, such as financial fraud or identity theft.

How to Prevent Spear Phishing

The harsh truth is that there’s no 100% foolproof way to protect against these attacks. But with the right systems in place, you can defuse at least 99%.

In some ways it’s a lot like how retail stores handle loss prevention – it’s pretty much impossible to make a shop completely unstealable – but it still makes a huge difference to be more difficult than other shops nearby.

Forewarned is Forearmed

The more sophisticated your office is with security, the more savvy they’ll be with email attachments and hyperlinks. That’s one reason why cybersecurity basics should be part of any small business’s IT training.

Security training is especially crucial for your soft targets: staff who handle external correspondence as an ordinary part of their duties. This will include anyone dealing with recruitment, sales, customer service, business development, account management, publicity and so on.

If your security training isn’t up to date, it might not include anything about spear phishing. This means it needs to be updated.

Email Sandboxing

So what’s “sandboxing”? It sort of sounds like it might be crude slang for making someone cranky.

It’s actually about filtering out emails with malicious links or attachments. Sandboxing software opens attachments in a safe environment and pays attention to whether or not it does anything dodgy.

There’s always a bit of an arms race going on here – security professionals find new ways to catch the bad guys, who then develop new tricks to get past the filters. So be sure your sandboxing software is regularly updated.

Minimising the Damage of Successful Spear Phishing

With these systems in place, you should be able to go a long time without getting stung. The longer you can go, the better – interruptions and downtime are always a cost.

But even with the best training and most up to date software in the world, you can never completely rule out the possibility that, at some point, someone in the office will click something they shouldn’t.

Whether this is an annoyance or a catastrophe depends on your preparations.

Spear phishing can carry all sorts of nasties, so the right protection will depend on the payload.

Have an External Password Policy

Let’s face it: getting your social profiles hacked is a massive pain. It gets so much worse if your attacker can use the exact same login details to get into your PayPal account.

That’s why your external password policy should insist on strong, unique passwords.

Remembering a completely unique password for every single website you join is, of course, completely impossible. That’s especially true when you’re signing up for things with no real idea whether or not you’ll ever want to use it again. This is where can make sense to use a password manager.

Regular Security Scans

If you’ve been hit by cryptojacking, key tracking or remote access trojans, it helps to discover them as soon as possible.

At a home office level, it’s probably enough to just run antivirus software and perhaps perform a malware scan every month or so. If you’ve outgrown the home office, it’s time to get your IT guy to keep an eye on the whole network.

Where a lot of businesses get this wrong is by engaging their IT tech on a “we’ll call you when we need you” basis. Because these nasties don’t loudly announce their arrival, there’s nothing to prompt you to make that call. This means they can lurk indefinitely and do the most damage.

Lock Down Permissions

One thing that really makes the difference between a mishap and a meltdown is how much of your network a malware attack can reach.

In the worst case scenario, all your network permissions are open, meaning every part of the network will be accessible by every program run by every user at all times.

This means ransomware has the opportunity to scramble everything – it might even get to your onsite backups on a network drive, making recovery that much more difficult. Or a remote access trojan installed by a junior employee could give a hacker access to your customer database, your password files, your financial information or your trade secrets.

But it doesn’t need to be like this. Most staff don’t need a user account with access to the entire network just to do their job – in fact, they don’t even need access to everything on their own machine.

Be sure your IT guy has configured permissions appropriately across your network to limit the damage done by any malware that sneaks through.

Backups and Disaster Recovery

Many spear phishing emails are an attempt to infect you with ransomware: malicious software that scrambles all your data and demands a payment for the code to get it back.

Nothing takes the sting out of this scam like adequate backups and a disaster recovery process that actually gets tested.

It’s a Big Bad World Out There

If you’ve followed along this far, you might be feeling a bit overwhelmed by all the ways a single email could ruin your week. And you know what? It probably doesn’t hurt to be a little bit paranoid about it.

But with the right systems and smarts, this is definitely a risk that can be managed. Make sure that spear phishing is included in your business’s IT security strategy.

“The opinions expressed by BizWitty Contributors are their own, not those of BizCover and should not be relied upon in place of appropriate professional advice. Please read our full disclaimer."

About the author

James Mawson

James Mawson is a technology, business and marketing nerd and a co-owner of DXM Tech Support, an IT support team based in Melbourne.