Spearphishing is the newest and most successful type of hacking attack being deployed against American companies. A variant on the traditional phishing attack, in which spam email is sent out randomly with fraudulent offers (popularly, to act as a local agent for a Nigerian prince, with promised riches as a reward), spearphishing attacks are more crafty.
Armed with what they can gather through public sources (probably through the target’s helpful and customer-friendly business website), along with some judicious social engineering, hackers can put together plausible business email messages in passable English, and send them from apparently legitimate internal, partner, or customer accounts.
This may be done through traditional password hacking to gain access to those accounts, or more commonly, by setting up a domain name that is one letter off from the original. For example, when people see lBM.com instead of IBM.com, few will notice the numeral l in the fake site.
When they receive such apparently legitimate messages, staff does what they are trained to do: they helpfully execute on requests to the extent allowed by corporate policy. That corporate policy, however, can be one of your most effective defenses against spearphishing attacks.
Putting basic controls in your procedures for dealing with the targets of spearphishing attacks is good practice. You can erect defenses that will be effective, regardless of the attack vector, by changing how your internal controls function for sensitive matters like financial transfers, information disclosure, or IT systems changes.
One of the most basic of these policy changes may simply be to require two staff to sign off on every sensitive request. Two employees are more likely to spot a suspicious message than one; requiring multiple sign-offs for access requests, money transfers outside the business, or other sensitive operations means every request gets twice the scrutiny.
Another policy change you can implement is the use of checklists and formal documentation in responses to sensitive requests. Most phishing attacks no longer work, simply because people are aware of them. Any message that comes in with slightly broken English or an unfamiliar address immediately brings a scam to mind.
Because spearphishing is not yet as widely known, the suspicion is not automatic. If your industry is likely to be targeted, provide employees with checklists requiring them to think twice about, and evaluate, messages with sensitive requests. Having to tick a box that says, “Look carefully at source address” may sound silly, but they will at least consider the possibility that the message source may not be legitimate.
It’s also good practice to have staff copy other people in the office when responding to this type of message. In one recent case, an executive’s secretary initiated a funds transfer in response to a spearphishing message that was supposedly from another executive in the same company. A simple copy of the correspondence, sent as a matter of formality to that other executive’s secretary, would have uncovered the scam in an instant.
There are no silver bullets in any hacking defense, but policy remains one of the best ways to safeguard your organization against every type of hacking, regardless of the technical details.