Cybersecurity is one of the biggest concerns for companies in 2022. Global executives are more concerned about cyber threats like ransomware and data breaches than supply-chain disruptions, natural disasters or the COVID-19 pandemic, according to the Allianz Risk Barometer. For the second time in the survey’s history, cyber threats topped the list of major business concerns, with 44% of respondents prioritizing the issue.
While cyberattacks aren’t always preventable, IT teams and executives can train their employees to spot the most common threats — which include phishing and spear phishing — and stop them from impacting the business. Read on to learn more about these two threats and how to avoid them.
Phishing is one of the most common ways cybercriminals gain access to personal data and company information. According to Verizon’s “2021 Data Breach Investigations Report,” phishing was the top action taken by criminals to gain access to data — outranking such ubiquitous methods as stealing credit cards and using ransomware. Phishing also saw the highest growth rate during the pandemic compared to other cyber threats.
Phishing and spear phishing are common because they are effective and easy to launch. Even an entry-level employee can introduce a threat to a company by clicking on a bad link. Every IT team and employee needs to know the difference between these two threats.
Phishing is a cybersecurity threat that occurs when hackers pretend to represent a trusted vendor or potential organization. An employee will receive a phishing email that looks like it came from a trusted organization. The email usually encourages the employee to click on a link, which will either download ransomware or give the hacker access to company files.
Hackers are getting better at making phishing emails look legitimate. However, the email format might be slightly off — there may be spelling errors or confusing phrasing that can alert the employee that the email isn’t genuine. The recipient should delete the email and report the phishing attempt to the IT department to stop the attack.
Spear phishing is a subset of phishing that employs more-focused social engineering tactics. Essentially, a cybercriminal will target a specific person or company with attacks. The attacker might research the individual they’re trying to phish and carefully craft an email or text message based on the target’s interests or behavior.
With companywide spear phishing, hackers may try to make the messages appear as if they came from reputable sources, such as the CEO, the human resources department or even the IT department. The goal is to make the message seem as legitimate as possible so the recipients click on harmful links.
There’s a higher threat level than spear phishing, called whaling, where hackers take a narrower approach and target members of the C-suite. The goal is to gain access to personal or company finances and confidential information that can be held for ransom.
The main difference between phishing and spear phishing is the audience. With phishing, hackers might send the same email to thousands of individuals at hundreds of companies. With spear phishing, one company or individual is targeted.
For example, a phishing email could promise a free security evaluation from a seemingly reputable IT source. Employees would theoretically trust the brand name and click the link. With spear phishing, the email might address a specific employee or seem as if it came from an internal source in the organization.
Human error is one of the main reasons phishing and spear phishing attacks are effective. One of the best ways to prevent these threats is to teach employees how to identify and avoid suspicious emails. Some common red flags to look for are:
If an employee is unsure about an email, encourage them to send it to the IT department. Additionally, the employee can look up the sender’s contact information on a reputable search engine and call or email them to make sure it’s legitimate.
Spear phishing prevention is a long-term process. You must constantly train employees to avoid these scams and have a capable IT department to support your staff. By hiring IT professionals with relevant education and credentials — like a Bachelor of Science in Cybersecurity or a Master of Science in Cybersecurity — you can better protect against incoming threats.
One of the most important things to convey to employees is that they should immediately report any suspicious activity — even if they fall for the scam. If an employee hides their error out of shame or fear, cybercriminals have a better chance of gaining access to accounts because the IT department won’t know to stop it.
The first thing employees need to do when a company experiences a phishing breach is to change all login credentials to prevent further data loss. This includes passwords and, potentially, usernames. There must be a complete reset across the company and for all accounts.
The IT department can then investigate the phishing attack to assess damage. They will determine which files have been breached and what access to information the hackers have. The amount of cleanup depends on how far the hackers got within the system. The IT department will also check for malware or ransomware that hackers might have installed in the computer systems.
Finally, it may be necessary to report the attack to regulatory bodies. If your company handles sensitive information (like patient data), you may be required to report the phishing attack to law enforcement or your local and state government.
Many of the same cleanup efforts after a standard phishing attack also follow a spear phishing incident. However, the investigation process may be longer as the IT department learns how the hackers accessed the company’s email information. It’s important to understand how the cybercriminal impersonated a vendor or employee effectively.
Phishing and spear phishing are crimes that affect companies of all industries and sizes. Ensure your business is protected by training employees and maintaining a strong IT infrastructure.
Whether you’re seeking to gain a basic understanding of cybersecurity or you’re a working professional looking to expand your skill set, University of Phoenix offers online course collections, bachelor’s and master’s degrees in cybersecurity and more.
April 29, 2022 • 7 minutes