You are the managing director or the chief financial officer of a blue chip company. You are working on your system at the corporate HQ. But you are anxiously waiting to receive your company’s statement of account.
Perhaps you need it for official documentations and or to prepare your next quarterly review, a very critical reports the board of directors and your demanding shareholders need. To put a stop to anxiety, you received an email alert that says:
“Dear XXX, Thank you for your understanding. Here is your statement of account. Please download it to get access to the document.”
You have done this several times and it was a normal experience. But what you have just done has cost thousands of people millions of Dollars in ‘ransom’ paid to hackers who takeover computer systems by locking out the owners of the system, then demand for a ransom payment before they will then send you a decryption key to open it.
It is called spear phishing attacks. In case you still find it incredible how this is done. First thank your stars that neither you nor anyone critical to the data/file repository of your company has been a victim of spear phishing attacks. The severity of these type of hacking has been experienced by more than 300,000 people in the world. Their agonies may not have been made public because such events happen in a coded manner that victims of ransom were thrown into confusion. They scrabble from pillar to post to get money to pay their attackers just to get access to their critical data again, because their lives and that of their business depend on it.
Spear phishing attacks happen in a simple but deceptive manner. But unlike a random phishing attack, it targets key people in an organisation such as the managing director, the chief financial officer and the chief technology officer, the human resources director. To get this done, attackers are now on the prowl using a concatenation of a victim’s offline activities to determine the angle and how to craft the email message.
So who is more susceptible to spear phishing?
Technically, anyone can fall victim. It does not really matter who you are and what you do. A Cloudmark survey concedes that spear phishing is now an “endemic scourge: 95% of US and 83% of UK said that they have experienced spear phishing attacks.”
The consequence of spear phishing has been devastating “high financial losses—$1.6 million on average—are only part of the story; other respondents experienced loss of reputation or even customers, drop in stock price or other negative effects. In some sectors, more than half of respondents (55%) suffered a loss of customers; in others, almost half (47%) suffered a financial loss.”
So what is a possible solution to this menace?
Some companies deploy anti-spam and anti-virus technology. It can be effective in blocking some kinds of generic phishing. Also secure web gateways or URL filtering solutions, this is however effective in protecting users from malware attacks e.g fake bank or webmail login pages hosted on hacked domains and secure email gateways and file sand-boxing.
What is however difficult to protect is people’s sentiment and the fact that spear phishing attackers now carry out research on their victims before taking the attack to the digital space. With this dimension, all hands must be on deck. Managing directors need to be close to IT managers, people need to discuss some emails before clicking download. As attackers become analogue and offline with their strategy, we all need to stop thinking digital, if you can refuse talking to a stranger on the street, then you should be able to doubt most emails and documents that flood your inbox everyday.
Featured image: niiconsulting.com