A lot of cybercriminals continue to send phishing emails randomly expecting to get responses. Nevertheless, it is more profitable to run targeted attacks or spear phishing. Microsoft remarks that spear-phishing attacks doubled this year, from 0.31% of email volume last year to 0.62% this September 2019.
There may be few spear-phishing campaigns, but they are highly effective since they focus on specific employees. Security sensitive employees have a hard time recognizing the email messages. Many executives, IT and cybersecurity staff fall victim to spear-phishing campaigns. The emails are custom-made to a specific individual or small group in a company, they are usually addressed to an individual by name, appear to come from a trusted individual, and typically do not look like a phishing email.
Spear phishing attacks are much more valuable because some credentials are worth more than others. Spear phishing campaigns usually target people who are Office 365 admins so that attackers can get access to their accounts and the whole email system with substantial volumes of sensitive data. New accounts may be generated on a domain using admin credentials to be used for sending more phishing emails. Only the attacker uses the new accounts, therefore it is less likely to discover malicious email activities.
Spear phishers also target the credentials of executives, which can be used for business email compromise attacks and that of personnel with access to bank accounts, which can be used for possible fraudulent wire transfers. Spear phishers find information on their targets from social media and company sites. They determine their relationships with workers and different departments and take on the personality of other individuals in the company. They may at the same time indulge in a whaling attack where they compromise more company email accounts using phishing campaigns before hitting the big phish in the firm. Spear phishing email messages are professional, reliable, and not recognized by end-users.
Although it is hard to recognize these spear-phishing emails, healthcare companies can do the following to lower the risk:
Employee education – Each person in the organization who uses email must undergo security awareness training. The CEO and officers must be trained as well because they’re the target of the spear-phishing campaigns. Any individual with access to highly sensitive information or corporate bank accounts should have far more training, particularly role-specific training to address threats most likely encountered.
Employees should be trained to validate the real sender of an email and examine the email address to ensure it is legit. Phishing emails usually contain a sense of urgency and a “threat” if action is not taken (for instance, the closing of the account). They often consist of out-of-band demands that violate company rules such as fast-tracking payments, transmitting odd information via email, or passing up typical validations or procedures. The messages generally include strange expressions or inconsistent wordings.
Reporting System and Validation Policies – In case of getting suspicious emails, there should be a speedy reporting system to the security department. Spear phishing campaigns are often sent to important individuals in a department at one time, therefore telling peers about such messages is helpful. There should be policies that require validations prior to making any substantial bank transfers, such as confirming unusual requests via phone.
Technical Controls -A sophisticated spam filtering solution can help identify and prevent attacks. Use a third-party solution for Office 365, such as DMARC, sandboxing, and malicious URL analysis. Multi-factor authentication is similarly essential. MFA prevents more than 99.9% of email account compromise attacks. With MFA, an attacker cannot successfully use stolen credentials.
Cybercriminals employ spear phishing to target companies and it usually gives allows them to further attack the company. Spear phishing is a serious threat. Therefore, organizations must take the required actions to combat attacks.