MSPs are in a privileged position to educate and inform their clients on the various cyber security threats facing businesses today. While many MSP leaders get concerned about the effectiveness of “selling fear,” sharing facts, trends, and real-life stories with clients can elevate the conversation and provide vital context to business leaders.
Spear-phishing is one topic that merits extra consideration. Spear-phishing is a form of social engineering attack that leverages highly targeted email and personalization techniques to dupe the victim into divulging passwords or other sensitive information or in other cases, participating in financial fraud schemes.
On today’s blog, let’s explore five spear-phishing realities that matter for MSPs and their clients.
1. What is Spear-phishing?
According to email security vendor Avanan’s Global Phish Report spear-phishing attacks are the least common form of phishing attack. In a recent study, spear-phishing attacks made up just 0.4% of phishing attacks, behind malware phishing (50.7%), credential harvesting (40.9%), and extortion (8%).
Nevertheless, spear-phishing attacks are potentially the deadliest. They often target C-level executives or mid-level employees who have access to sensitive credentials, financial systems such as cash accounts or payroll systems, or other financial software tools in companies. Spear-phishing attacks will commonly target mid-level employees and involve the attacker impersonating a senior executive at the company asking the employee to wire money, pay a fake vendor, or send employee or client information. Often, the requests from the cybercriminal will leverage urgency or even thinly veiled threats against the employee victim.
In other cases, spear-phishing emails may target key individuals in an attempt to steal their credentials. When cybercriminals are successful, stolen usernames and passwords can be further used to compromise email systems or breach other software tools and financial systems.
2. Are Spear-phishing attacks hard to detect?
Spear-phishing attacks are very difficult to detect and stop, especially from a technology perspective. Spear-phishing emails are highly targeted and usually sent to a single individual. Cybercriminals will often carefully research their target, along with the employees and colleagues around them. Social engineering techniques are then exploited to leverage people’s trust in their colleagues or sometimes external clients and vendors. The victim of a spear-phishing attack will often receive an email impersonating someone they know and trust and the request in the email will usually seem like perfectly a normal request.
While organizations have long invested in sophisticated email security systems to block high-volume spam, malware, and conventional phishing attacks, in most cases these solutions fail to catch or detect spear-phishing attacks. Spear-phishing attacks will often look like a conventional email from a technology perspective and lack links or attachments. Each attack is bespoke or customized, making them very hard to detect.
3. Why is Spear-phishing the most harmful?
Spear-phishing attacks are potentially the most harmful since there is commonly a financial motivation behind the attack and the financial losses can be extreme. Spear-phishing attacks are often orchestrated in concert with business email compromise (BEC) attacks. In a BEC attack, the cybercriminal may have control of an employee’s real email account, making it vastly simpler to impersonate the employee and leverage built-in trust relationships. Often, the criminal will gain control of an employee email account by first spear-phishing that individual. Then once they have email account control, they can perform various forms of social engineering attacks on fellow employees.
C-level executives, especially the CEO and CFO, and IT staff are the most frequently targeted roles for phishing attacks. According to a recent report, CEOs received on average 57 phishing emails per year, CFOs received 51, and IT staff received on average 40.
4. How does Spear-phishing affect MSPs and IT?
Phishing attacks of all kinds consume a lot of IT or MSP staff time. In most organizations, employees are trained to forward suspected phishing attacks to an email alias for analysis by professionals. In practice, these emails require one by one scrutiny and research. According to Avanan, on average each email forwarded to the Security Operations Center (SOC) requires an average of 7.7 minutes of analyst time for analysis and action. With the volume of email-borne attacks, the amount of time spent responding to these incidents can grow significantly, especially if IT or MSP staff are overburdened. Avanan also found that 22.9% of SOC time is spent responding to email-borne threats. In addition to investigation tasks, SOC staff will often have to perform additional prevention tasks such as updating block and allow lists, changing mail-flow rules, and fine-tuning sensitivity and confidence settings.
5. What can MSPs do to mitigate Spear-phishing?
Artificial intelligence (AI) and machine learning are two vital technologies to defend against spear-phishing attacks. Cutting-edge technology vendors are leveraging AI and machine learning to go beyond looking for malicious links and attachments. These more advanced technologies focus on detecting anomalous emails and behaviors, rather than mere phishing signatures. AI and machine learning are two important technologies in the fight against spear-phishing.
Multifactor authentication (MFA) is another key part of the solution. MFA requires employees to authenticate with multiple factors, such as something they know (like a password) and something they have (such as a one-time passcode generated by an authentication app on an employee’s mobile device). Even if employees fall prey to various forms of spear-phishing attacks, MFA prevents password compromises from spiraling into major crises because cybercriminals cannot effectively leverage the stolen passwords. When MFA is broadly deployed over all key software systems, business email compromise attacks and further lateral movement by cyber criminals is greatly reduced.
Cyber Security Awareness Training, with phishing simulations
Training employees on how to spot and detect spear-phishing and social engineering attacks is vital. Building a “human firewall” in your organization is your best first line of defence, especially with hard-to-stop threats like spear-phishing. The key is to deploy training and education that is programmatic and regularly deployed. Repetition is key and micro-learning approaches are the best way to weave ongoing education into the employee’s workday. Moreover, programmatic initiatives should also include phishing simulations and tests, which create teachable moments and allow employees to evolve their abilities at spotting and detecting email scams and phishing attacks.
Lastly, organizations should implement stricter financial controls which require multiple employee sign-offs and approval for large wire transfers, ACH transactions, or even large physical check payments. Dollar thresholds and multiple signers introduce additional process and time, but that is precisely what is needed to detect fraudulent transactions and payment requests.