Spear phishing is becoming more and more common. Therefore, it is very difficult to always see through these fake messages. This is already clear when you know the difference between phishing and spear phishing. In your organization, does everyone know about the phenomenon and are your employees able to recognize suspicious messages?
Phishing has been around much longer than spear phishing. In any form of phishing, the goal is to get hold of certain information through a misleading message that at first appears to be trustworthy. However, when the recipient clicks on the attached attachment or link, malware is installed on the PC, infecting the corporate network. Another possibility is that the link takes the victim to a website which again appears to be trustworthy. When the victim logs in there, the hackers obtain passwords, credit card details, identity data or other sensitive information which they sometimes sell to criminal organizations.
Plundered bank accounts?
In this way, hackers also manage to plunder bank accounts via phishing. According to figures from Febelfin, the interest group for the financial sector, around 67,000 fraudulent transactions were carried out via phishing in 2020, for a total amount of around 34 million euros. And that is only 25% of the potential damage, because more than 75% of the transfers are not included because they were reversed in time.
The difference between phishing and spear phishing
As people become less likely to be fooled, hackers are coming up with new tactics that are even harder to see through. Thus, spear phishing is actually an even more cunning form of phishing. The difference between is that phishing messages are sent en masse to a large group of recipients at once, while spear phishing emails are very specifically targeted to one person.
For example, a phishing email may appear to come from a telecom provider and ask for a payment to be put in order. Normally, only a small number of recipients will click on the link in the message. Those who are not customers of the telecom company in question may find it easier to see through the fraud attempt.
The best-known phishing tactics: do you recognize them all?
About 91% of all security breaches start with a phishing e-mail. Phishing tactics are becoming increasingly sophisticated, often making it very difficult to recognise suspicious messages.Download eBook
In spear phishing the cybercriminals aim all their arrows at one target. They very carefully select someone who is, for example, responsible for bookkeeping at a company. Via social media and other online information they find out enough to compose a more personal, and therefore more convincing fake message. They find out, for example, that the company is in the process of being taken over and ask to transfer money as part of that.
Depending on the target of the messages, we sometimes speak of "whale phishing". In this case someone is targeted who has a management position, such as the financial director or the CEO. There too, 'social engineering' ensures that the misleading message does not arouse suspicion. In some cases, the cybercriminals using whale phishing are primarily looking for company secrets. The consequences for the company can therefore be disastrous.
How do you protect your organization from spear phishing?
Spear phishing is much more likely to be successful than 'normal' phishing messages - research figures suggest a 30% success rate compared to 3%. Experience has also taught us that, in principle, anyone could fall for such a fake message, because they are so cleverly tailored to the victim. As a company, purely technical IT security is therefore not enough to protect you against spear phishing. The problem primarily requires efforts in the area of IT behavior.
Make IT users aware of the dangers
Not throwing personal information online for grabs is good advice anyway. In addition, organizations can train their employees to recognize suspicious messages. Use a service provider that sends out fake messages for you at regular intervals to test how alert IT users are. By switching up a level each time with messages that are increasingly difficult to recognize as fake, you strengthen the front line in your IT defenses.