Do Your Clients Need Spear Phishing Education?

Cybercriminals are constantly coming up with more sophisticated ways to breach network security protections. Spear phishing attacks are growing and becoming increasingly expensive–and the companies in your client base may not be fully prepared to deal with these new threats.

While your customers may be generally familiar with phishing emails and how they work, spear phishing schemes are more sophisticated and can rope in end users that otherwise wouldn’t fall for traditional email scams.

That’s because these attacks are carefully researched and planned by their perpetrators, highly personalized, and designed to impersonate a trusted colleague or business. And rather than spreading a virus that might be detected by traditional email protection technologies, the emails are created to steal login credentials, financial and other personal information that can be used to commit additional crimes.

VARs and MSPs should educate their customers about how spear phishing works, the threat it represents to their business, and how to leverage end user training and advanced security technology to thwart these attacks.

Spear Phishing 101

When educating clients, you should share the foundational components of a spear phishing attack and why they need to take this threat seriously. Here are a few basics you should be sure to cover:

• There are three major types of spear phishing attacks. According to recent research by Barracuda, these types of attacks include brand impersonation (accounting for nearly half of all spear phishing attacks), designed to harvest credentials; blackmail; and business email compromise (BEC) attacks, which are highly targeted and very costly. In fact, the FBI says, BEC spear phishing attacks have caused more than $26 billion in losses during the last four years.
• Spear phishing attacks are designed to evade email security. Traditional gateways and spam filters don’t catch most of these attacks because they are sent from legitimate-looking domains or compromised email accounts. They also may not include a malicious link or attachment. That means they can get through reputation analysis or blacklist-based security solutions.
• Spear phishing relies on social engineering. The messages are typically short, urgent, carefully timed, and include relatively plausible requests from trusted coworkers, executives, or companies. It can be very difficult for off-the-rack email security solutions to identify these threats as they arrive–giving criminals more time and flexibility to inflict larger amounts of damage.
• These attacks are costly. Spear phishing results in relatively high click rates. According to Barracuda’s research, emails that appear to come from HR or IT departments have a click rate of roughly 30%. The average amount lost per organization from spear phishing attacks was $270,000.
• Even small companies can be targets. Spear phishing attacks aren’t always centered on big paydays. Small companies may feel that they don’t have data or financial resources that would make them appealing target, but that doesn’t mean cybercriminals won’t