How to blunt spear phishing attacks

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. In other words, somebody received an email and either clicked on a link or opened a file that they weren't supposed to.

For example, Chinese hackers successfully broke into computers at The New York Times through spear phishing. So, what are the steps that IT execs can take to protect enterprise networks from spear phishing?

[MORE SCAMS: Tis the season for tax scammers]

Jim Hansen of PhishMe, a company that provides anti-phishing training programs, says most spear phishing attacks take one of two tacks - they either appeal to human greed or fear. In other words, either they offer money, coupons, discounts or bargains that are too good to be true. Or they announce that your checking account or eBay account has been frozen and you need to re-enter your credentials, or some other scenario in which you are required to enter personal information....or else.

While regular phishing typically involves unsophisticated mass mailings, spear phishes can appear to come from your own IT department, from your own payroll department, from a friend or colleague.

Here are some tips from Hansen on how to teach employees to avoid getting spear phished.

1. Read the return url backwards, from right to left. The url might start out with "www.bankofamerica'' but when it ends with 120 characters of jibberish, you might start to get suspicious.

2. Don't fall for what's being called the "double-barreled phish," in which you respond to the email with a question, such as "Is this really my buddy Jim.'' Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, "Yes, it's me, Jim.'' Of course, it isn't Jim.

3. Never open a PDF from someone you don't know, since spear phishers are now hiding their malicious zip files inside seemingly innocuous PDFs.

4. Never give out your password or other personal/sensitive information in response to an unsolicited query.

5. IT security pros should consider training classes targeted specifically at spear phishing.

PhishMe is one of several companies that offer a SaaS-based program whereby IT groups can send fake spear phishing emails to employees and then measure the failure rate.

Hansen says that PhishMe customers are often stunned to find failure rates - in other words, the percentage of end users who click on a spear phish and enter a password - in the 80% range.

The way PhishMe works, when an end user falls for a phish, a giant flash card appears on their screen announcing that they've been phished and detailing what they did wrong. Hansen says his company offers pre-built phishing templates and customers can also customized their spear phishing emails.

Customers receive reports on the success of the spear phishing training program down to the individual end user. He says some companies might take punitive action against an employee who repeatedly clicks on fake phishes, while other companies are using gamification to reward good behavior and to keep people on their toes.

He says that when companies stop the training programs, employees revert back to their old behavior, so it makes sense for companies to make anti-spear phishing programs a way of life.

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022