The cost of spear phishing attacks is rising, and traditional email security approaches are ill-equipped to stop them.

4 Min Read
Concept of virtual screen,digital connection icon and graph interfaces.Young businesswoman using modern mobile tablet while sitting at sunny
Getty Images

Cybercriminals are constantly coming up with more sophisticated ways to breach network security protections. Spear phishing attacks are growing and becoming increasingly expensive–and the companies in your client base may not be fully prepared to deal with these new threats.

While your customers may be generally familiar with phishing emails and how they work, spear phishing schemes are more sophisticated and can rope in end users that otherwise wouldn’t fall for traditional email scams.

That’s because these attacks are carefully researched and planned by their perpetrators, highly personalized, and designed to impersonate a trusted colleague or business. And rather than spreading a virus that might be detected by traditional email protection technologies, the emails are created to steal login credentials, financial and other personal information that can be used to commit additional crimes.

VARs and MSPs should educate their customers about how spear phishing works, the threat it represents to their business, and how to leverage end user training and advanced security technology to thwart these attacks.

Spear Phishing 101

When educating clients, you should share the foundational components of a spear phishing attack and why they need to take this threat seriously. Here are a few basics you should be sure to cover:

  • There are three major types of spear phishing attacks. According to recent research by Barracuda, these types of attacks include brand impersonation (accounting for nearly half of all spear phishing attacks), designed to harvest credentials; blackmail; and business email compromise (BEC) attacks, which are highly targeted and very costly. In fact, the FBI says, BEC spear phishing attacks have caused more than $26 billion in losses during the last four years.

  • Spear phishing attacks are designed to evade email security. Traditional gateways and spam filters don’t catch most of these attacks because they are sent from legitimate-looking domains or compromised email accounts. They also may not include a malicious link or attachment. That means they can get through reputation analysis or blacklist-based security solutions.

  • Spear phishing relies on social engineering. The messages are typically short, urgent, carefully timed, and include relatively plausible requests from trusted coworkers, executives, or companies. It can be very difficult for off-the-rack email security solutions to identify these threats as they arrive–giving criminals more time and flexibility to inflict larger amounts of damage.

  • These attacks are costly. Spear phishing results in relatively high click rates. According to Barracuda’s research, emails that appear to come from HR or IT departments have a click rate of roughly 30%. The average amount lost per organization from spear phishing attacks was $270,000.

  • Even small companies can be targets. Spear phishing attacks aren’t always centered on big paydays. Small companies may feel that they don’t have data or financial resources that would make them appealing target, but that doesn’t mean cybercriminals won’t take over an SMB’s corporate email account to defraud other companies. In addition to the potential financial damage, business email compromise attacks in particular can permanently damage a company’s reputation.

Education Is Critical

Once clients are aware of this growing threat, you can help them implement security strategies to reduce the risk and cost associated with spear phishing. To begin with, employees should be educated to more effectively recognize employee impersonation and other types of spear phishing attacks.

You can also provide guidance to clients to help them establish internal policies that can help safeguard against unauthorized credential sharing, wire transfers and other types of activities that are frequently exploited in these types of attacks.

Client education should also include an overview of new security solutions that leverage artificial intelligence and machine learning to help spot potential attacks that bypass traditional gateways. These solutions can analyze internal emails, create intelligent models to represent typical employee communications, and then use that data to flag suspicious communications even if they don’t include a malicious link or attachment.

Finally, MSPs need to help their clients establish an internal education program that is easy to understand and that provides ongoing training and alerts about new threats. Human-based defenses—such as confirming email requests with a follow-up phone call and adding multiple layers of approval for financial transactions–may be somewhat inconvenient, but by reducing the number of successful spear phishing attacks, companies can greatly reduce the associated cost of them.

You can learn more about spear phishing here.

Nathan Bradbury is Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.

This guest blog is part of a Channel Futures sponsorship.


Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like