Pagoda Blog


The Difference Between Phishing & Spear Phishing and How to Protect Yourself

October 19, 2017

Most of us with an email address have been the target of either phishing or spear phishing. These two types of cyberattacks use the same approach to access personal data: via an email from a trusted contact. If you haven’t received one, you’ve probably heard of emails sent from a friend or colleague that turn out to contain malicious links or attachments. In order to prevent yourself from becoming a victim of one of these attacks, it’s important to understand how they work and the difference between them.

 

 

Phishing: The More Targets the Better

 

In the early, less sophisticated days of phishing, the Nigerian bank scam was perhaps the most widespread form of this type of cyberattack. Targets received an email asking them to provide their banking information in order to help an honest person move money out of Nigeria. In exchange, the victim was promised a large sum of money.

 

This past May, we saw a more advanced form of phishing. Hackers sent Gmail users an email that appeared to come from someone in their contact list, inviting those targeted to open a Google Doc. If you clicked the link, you were asked to grant access to what appeared to be Google’s G Suite but was actually a malicious program. This program then sent emails to all of your contacts, thus quickly spreading the attack.

 

These are both examples of phishing attacks because the hacker sent an email to many random targets. Anyone, regardless of social status, could be a target. Here’s what a phishing attack typically looks like:

 

  1. A typical phishing attack starts with an email sent from a trusted source, like your bank or a friend or colleague in your contacts list.
  2. Because you trust the sender, you’re lured into clicking the included link or opening an attachment, which sends you to a malicious website.
  3. This allows the hacker to infect your computer and access your personal information, such as usernames and passwords.

 

Related post: New Password Guidelines Call for Simple, Memorable Phrases

 

Sometimes, the phishing attack doesn’t even require the use of a virus. It simply asks you for your information by tricking you into thinking that your bank or another trusted source wants you to update their account information. The user, in effect, does the work for the hacker.

 

Spear phishing uses the same technique (an email sent from a trusted source) but these attacks are anything but random.

 

 

Spear Phishing: Going for the Gold

 

In the 2016 U.S. Presidential Race, the Democratic National Committee (DNC) was hacked. Two separate attacks successfully breached their entire email system. The first hack sent emails with malicious attachments to over 1,000 addresses within the DNC. The second sent emails that asked recipients to reset their passwords by clicking a link and then entering their information into a fake webmail domain. This gave the hackers access to the recipients’ email accounts, resulting in the major breach.

 

While this attack sounds very similar to the aforementioned phishing attacks, it’s actually an example of spear phishing. Instead of targeting random email addresses, the hacker narrowed its target down to a smaller group of specific individuals. These individuals are typically high-profile executives or government employees with access to valuable, highly confidential information. The hackers also only need one target or a small handful of the targets to fall for the fake email in order for the attack to succeed.

 

In order to increase the likelihood that the target will open the email and then follow the enclosed instructions, the hacker researches their online activity. They find out what websites their target visits, who they follow on social media, their political preferences, their employer, if they have kids or a pet, and any other helpful information that will improve the odds of success. All of this research allows the hacker to craft a highly believable, personal message. So believable that even members of the DNC fell for it.

 

This sophisticated type of phishing is highly successful and highlights the need for increased awareness and education around this type of cyberattack.

 

 

How to Protect Yourself

 

Whether you’re a multi-million dollar corporation or a small mom & pop shop that’s just breaking even, you’re unfortunately vulnerable to both phishing and spear phishing attacks.

 

To recap, phishing attacks are sent to random email users whereas spear phishing attacks research their targets and send emails to a specific group of users in order to access particular information. While spear phishing attacks typically target high-profile individuals, your small business can also be targeted and used as the gateway to access a larger company.

 

Be Your Own Firewall

In the past, installing a strong firewall and antivirus software would protect you from phishing attacks. Spear phishing, however, has bypassed these protections by effectively imitating a trusted sender and then manipulating the user to take a specific action. In effect, you need to be your own firewall these days by learning to spot malicious emails.  

 

Two-Step Authentication

Part of constructing your own strong firewall is the use of two-step authentication. Two-step authentication requires not only your username and password to gain access to your email account, but also a mobile device. When you (or someone else) tries to log-in to your account, access isn’t granted until a special password (usually a 6-10 digit code) is entered. This password is sent to a separate device, chosen by the owner of the account. This effectively denies access to the hacker unless he or she is able to also gain access to the second device with the passcode.

 

You can set up two-step authentication with any company or individual you conduct business with. If you often make wire transfers, for example, it’s important to require a second confirmation of identity from anyone requesting a transfer. This confirmation could be through a text or a phone call--an easy, quick step that could prevent a monetary disaster.

 

The Takeaway

If you take one thing away from this article, let it be this: Your bank, insurance company, or any other trusted source should never ask you to update sensitive information through an email. If they do, contact them directly to confirm that it is not a phishing attack.

 

 

Train Your Team

 

Now that you’re educated about the dangers of and difference between phishing and spear phishing attacks, you need to ensure that your employees also know how to protect themselves, and your company, from an attack. KnowBe4 (a service we offer here at Pagoda Technologies) is an invaluable training tool that works to improve cybersecurity across an entire team. This system provides training to your employees, allows you to track how much training each individual employee has completed, and then tests them monthly to ensure they keep their knowledge up to date.

 

The monthly tests take the form of fake phishing emails. As the employer, you can choose the content of the email to make it as convincing as possible to your team members. The KnowBe4 system then tracks each user’s actions and reports who’s clicking the links, filling out forms, and potentially opening up your business to other various levels of compromise. This allows employers to know which employees need more extensive training, and can greatly decrease the chance that your business will fall victim to phishing and spear phishing attacks.

 

 

What To Do If You’re Hacked

 

If you fall prey to a phishing or spear phishing attack, or think that you’ve received a phishing email, make sure that you report the email to your email server. For Gmail users, open the suspicious email, click the down arrow next to reply, and then click Report Phishing. For Outlook users, open the suspicious email, click the down arrow next to Junk in the Outlook.com toolbar, and select Phishing scam from the menu.

 

Need help protecting your business from phishing and spear phishing attacks? We offer IT security services and can help you use the KnowBe4 training tool to keep your employees up to date on the latest phishing threats. Get in touch for a free consultation and learn how you can improve the online security of your business.

 

Looking for more information about cyber security and how to protect yourself and your business? Check out these posts:

Are Macs Really More Secure Than PC’s?

The Fate of Internet Privacy Protection and Your Personal Electronic Data

7 Cyber-Security Myths Debunked

 

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and learn how to protect and grow your business with monthly IT tips from our experts. Subscribe today.

 

Need ongoing IT support for your business? Contact us for a free consultation. We’d love to work with you!

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.

 




Return to Pagoda Blog Main Page