Know Your Phish: 4 Keys to Combating Spear-Phishing Campaigns

1 v. 100,000,000,000: The Odds Favor Phishing (But They Don't Have To)

One hundred billion: it’s a staggering number that is tough to put in perspective. There are approximately one hundred billion stars in our Milky Way Galaxy and one hundred billion neurons in a human brain. That’s also the number of spam emails sent out – each day. While the vast majority of spam emails can be caught by automatic e-mail filters, many reach their intended target and can serve as the basis for a malicious attack that attempts to gain access to a business’s sensitive data. When these emails reach employees, they may appear to be legitimate requests to provide sensitive data or passwords to access that data. Earlier this month, both Experian and the Internal Revenue Service warned businesses of an increase in data breaches resulting from spam emails designed to look like legitimate business communications.

Email attacks that attempt to acquire sensitive information, such as usernames, passwords and credit card details (and sometimes, indirectly, money), for malicious reasons by masquerading as a trustworthy source are called phishing scams. Even sophisticated actors, such as Sony and top law firms, are not immune from these attacks. With such daunting numbers, what can businesses do to protect themselves, and their customer’s data, from hackers that use such a ubiquitous form of communication?

Understand What “Phish” You Have

First and foremost, a business needs to understand what “phish” or sensitive data it possesses. Payroll data, for example, is one of the top targets for spear-phishers primarily because of the wealth of personally identifiable information (PII) the data inherently contain, as Snapchat and over 60 other companies recently discovered.

Once a company understands what data it has, it should take stock of who has access to that data. It seems like common sense that an employer should not give the receptionist a copy of the same keys it gives to the accountant, but that is precisely what happens when employers do nothing to restrict electronic access to their systems. A good rule of thumb is to limit access to sensitive data solely to those employees that need access to that data – that way spear-phishers cannot indiscriminately target all employees of a company.

Understand The Threats You Face

Once a business understands the data it possesses, it must confront the threats it faces. For example, spear-phishing is on the rise. Though employees are typically wary of providing bank account information to long lost relatives or princes in far-away lands, spear-phishing is slightly more involved. In a typical spear-phishing scam, hackers will send emails to employees that appear to be legitimate – a problem with a recent purchase order, a request from a CEO for business documents – anything to get an unsuspecting employee to reveal otherwise private information or enter their passwords into a malicious site. The worst part is that an employee may not even realize they are the victim of a spear-phishing attack. The best hackers make everything appear legitimate to the untrained eye – manipulating an email message or website link to appear as if it has come from a trusted recipient. How then can employers mitigate their risk of being the latest victim of a spear-phishing attack?

Train Your Employees

Recent studies of reported breaches have confirmed that employee negligence and human error are among the top causes of data breaches nationally. As one study found, employee mistakes and misuse account for the overwhelming majority of all data breaches. With that in mind, it pays to educate your employees – the people who can prevent these types of breaches – on the types of attacks they might face. Even the best spam filters, anti-virus software and IT personnel can’t catch every piece of potentially harmful email that is sent to your employees – though these measures can help. Providing your employees with training on how to recognize and report spear-phishing attempts is invaluable. Training provided to employees is the difference between flagging a suspicious email and falling prey to a spear-phishing scam.

Be Proactive, Not Reactive

Spear-phishing attacks are also always evolving and changing. And, several government agencies have successfully enforced data privacy regulations against companies where their data security infrastructure was found to be insufficient – even in the absence of a known data breach. Accordingly, companies should adopt, and periodically revise, written policies and procedures designed to safeguard the types of private information they possess. As part of this revision process, companies should proactively monitor trends in cyber-attacks and implement revised security provisions in response. With updated policies and ongoing training, employees with the power to prevent breaches rooted in human error (such a phishing) will be in the best position to recognize potential threats and to respond appropriately to protect sensitive data.

David F. Herman is an associate in Montgomery McCracken’s Litigation Department and serves as an editor of the firm's Data Privacy Alert blog. He concentrates his practice on commercial litigation, employment litigation, government investigations, and advises on cybersecurity and data privacy issues. He is a magna cum laude graduate of Temple Law School.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.