Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

Know Your Phish: 4 Keys to Combating Spear-Phishing Campaigns

1 v. 100,000,000,000: The Odds Favor Phishing (But They Don't Have To)

By Dave Herman
banking 2 responsive default
May 4, 2016

One hundred billion: it’s a staggering number that is tough to put in perspective.  There are approximately one hundred billion stars in our Milky Way Galaxy and one hundred billion neurons in a human brain.  That’s also the number of spam emails sent out – each day.  While the vast majority of spam emails can be caught by automatic e-mail filters, many reach their intended target and can serve as the basis for a malicious attack that attempts to gain access to a business’s sensitive data.  When these emails reach employees, they may appear to be legitimate requests to provide sensitive data or passwords to access that data.  Earlier this month, both Experian and the Internal Revenue Service warned businesses of an increase in data breaches resulting from spam emails designed to look like legitimate business communications. 

Email attacks that attempt to acquire sensitive information, such as usernames, passwords and credit card details (and sometimes, indirectly, money), for malicious reasons by masquerading as a trustworthy source are called phishing scams.  Even sophisticated actors, such as Sony and top law firms, are not immune from these attacks.  With such daunting numbers, what can businesses do to protect themselves, and their customer’s data, from hackers that use such a ubiquitous form of communication?

 

Understand What “Phish” You Have

First and foremost, a business needs to understand what “phish” or sensitive data it possesses.  Payroll data, for example, is one of the top targets for spear-phishers primarily because of the wealth of personally identifiable information (PII) the data inherently contain, as Snapchat and over 60 other companies recently discovered. 

Once a company understands what data it has, it should take stock of who has access to that data.  It seems like common sense that an employer should not give the receptionist a copy of the same keys it gives to the accountant, but that is precisely what happens when employers do nothing to restrict electronic access to their systems.  A good rule of thumb is to limit access to sensitive data solely to those employees that need access to that data – that way spear-phishers cannot indiscriminately target all employees of a company. 

 

Understand The Threats You Face

Once a business understands the data it possesses, it must confront the threats it faces.  For example, spear-phishing is on the rise. Though employees are typically wary of providing bank account information to long lost relatives or princes in far-away lands, spear-phishing is slightly more involved.  In a typical spear-phishing scam, hackers will send emails to employees that appear to be legitimate – a problem with a recent purchase order, a request from a CEO for business documents – anything to get an unsuspecting employee to reveal otherwise private information or enter their passwords into a malicious site.  The worst part is that an employee may not even realize they are the victim of a spear-phishing attack.  The best hackers make everything appear legitimate to the untrained eye – manipulating an email message or website link to appear as if it has come from a trusted recipient.  How then can employers mitigate their risk of being the latest victim of a spear-phishing attack?

 

Train Your Employees

Recent studies of reported breaches have confirmed that employee negligence and human error are among the top causes of data breaches nationally.  As one study found, employee mistakes and misuse account for the overwhelming majority of all data breaches. With that in mind, it pays to educate your employees – the people who can prevent these types of breaches – on the types of attacks they might face.  Even the best spam filters, anti-virus software and IT personnel can’t catch every piece of potentially harmful email that is sent to your employees – though these measures can help.  Providing your employees with training on how to recognize and report spear-phishing attempts is invaluable.  Training provided to employees is the difference between flagging a suspicious email and falling prey to a spear-phishing scam. 

 

Be Proactive, Not Reactive

Spear-phishing attacks are also always evolving and changing.  And, several government agencies have successfully enforced data privacy regulations against companies where their data security infrastructure was found to be insufficient – even in the absence of a known data breach.  Accordingly, companies should adopt, and periodically revise, written policies and procedures designed to safeguard the types of private information they possess.  As part of this revision process, companies should proactively monitor trends in cyber-attacks and implement revised security provisions in response.  With updated policies and ongoing training, employees with the power to prevent breaches rooted in human error (such a phishing) will be in the best position to recognize potential threats and to respond appropriately to protect sensitive data.

KEYWORDS: cybersecurity training data breach phishing threats social engineering spearphishing schemes

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

David F. Herman is an associate in Montgomery McCracken’s Litigation Department and serves as an editor of the firm's Data Privacy Alert blog. He concentrates his practice on commercial litigation, employment litigation, government investigations, and advises on cybersecurity and data privacy issues. He is a magna cum laude graduate of Temple Law School.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC Kubernetes webinar

    4 things to know to secure your new kubernetes environment

    See More
  • Virus Detected

    Prepare to defend: Why combating phishing attacks requires a proactive approach

    See More
  • social media

    Phone spear phishing allowed hackers to gain Twitter employee credentials

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing