bizEDGE New Zealand logo
Story image

Spear phishing

01 Nov 2010

You probably have heard about ‘phishing’ attacks, where cyber criminals attempt to penetrate a business network to steal valuable information. But ‘spear phishing’ is a more recent phenomenon, in which a specific company, or individual staff, are targeted. If your company has developed a unique product which has serious money-earning potential, then you could be subject to a spear phishing attack, and you need to take special precautions.What the phisher is trying to do is penetrate your computer network, and a common way of doing this is to entice you to let them in. They can do this by looking at the names and email addresses of employees that are often listed on company websites. Social networking pages, either those of the business or those run by individual employees, are also favoured. They may even start with a phone call, in the guise of a potential customer, seeking information (this is known as ‘vishing’ or ‘voice phishing’). The next step is to start sending emails to their ‘targets’. They may contain attachments with special offers or links to places where useful information can be obtained. The aim is to get those attachments and/or links opened inside the company firewall; then the malware they contain can be downloaded on the employee’s computer, creating a gateway to the server. Phishers can be quite patient and subtle in their approach, taking time to build a rapport with the unsuspecting employee. But once in, they will work quickly, lifting information wholesale with a view to selling it to the highest bidder, before the breach is detected.The way to foil such attacks is twofold: firstly, if your data is sensitive and valuable, you need to protect it appropriately. If you’re still managing your own server security, it may be time to graduate to a managed security system maintained by experts, who can monitor it for possible intrusions and keep protection up to date. The second, but no less important step, is to educate staff about requests for information from previously unknown sources. Any such approaches should be checked for their bona fides before any information is given out. Extra care should be taken with incoming emails, and software that scans attachments and links should be mandatory.