Spear phishing is one of the most potentially destructive types of cyberattacks ever.
Phishing is often promiscuous. Most phishing attacks use bots to send phishing text messages, emails, or social media messages to large numbers of people, indiscriminately. For instance, I have occasionally received phishing text messages that impersonate Canadian banks that I don’t do business with. That sort of phishing makes no fool out of most. But if a few targets bite, that makes 100,000 attempts worth it.
Spear phishing is a lot more effort for cyberattackers, with a lot more reward. Spear phishing is targeted to specific individuals or organizations that are connected to computer systems which could be very valuable. Spear phishing often requires the attacker to engage in OSINT (open source intelligence) to learn who a person does business with, what their job title is, and so on. The good guys in cybersecurity can do OSINT, but so do the bad guys.
If you make the effort to learn more about me, it’s easier to fool me into thinking you’re an entity I already associate with. So I might be tempted to click that link or enter my credit card number.
Educational institutions are frequent targets of cyberattacks. The Washington Post covered such an incident recently:
“On the same day education and technology leaders came to the White House to discuss cyberattacks on schools and commitments from industry, a ransomware gang calling itself Medusa appeared to add the 1,000-student Emerson, N.J., public school district to its hostage list.
Continuous cyberattacks on schools like Emerson and elsewhere, even amid a high-profile government-industry event yesterday, underscore the challenge for school systems and cyberattacks: The commitments made this week could move the needle on boosting schools’ cybersecurity defenses; however, as schools take advantage of these new resources, school cyberattacks will probably keep coming.”
What’s covered by the media is just the tip of the iceberg.
It’s worthwhile to provide security awareness training to employees to warn them about spear phishing. However, any experienced cybersecurity practitioner can tell you that training alone is never enough. Even cybersecurity practitioners themselves get fooled by phishing sometimes!
Fortunately, some schools are prepared. Owensboro Public School in Kentucky uses Identity Automation’s PhishID software. In July, PhishID detected a spear phishing attempt that targeted a user who had privileged access to school computer systems.
Security monitoring software can detect false positives, so some investigation was warranted. But PhishID’s alert turned out to be a true positive. The user’s email address was used, and there were images of the school embedded in the HTML code.
PhishID’s detection capabilities were especially impressive because the malware the attacker tried to link to wasn’t in VirusTotal’s database. VirusTotal is a malware threat intelligence source for most of the big antivirus vendors.
PhishID’s technology implements proprietary machine learning AI. So not only was a potentially catastrophic cyber breach thwarted, but the knowledge gleaned from the incident will make PhishID even smarter.
In a nutshell, the key to preventing and mitigating spear phishing attacks is to have different security controls and strong security policies working in tandem. Don’t completely rely on one security control; take a defense-in-depth approach.
For spear phishing specifically, here’s what I recommend.
Teach your employees and contractors at all levels what spear phishing attacks are and how they may be able to spot them. Ensure no employee or contractor is ever penalized for wanting a phone call, meeting, or some other verification that a request through text message, social media, or email is coming from who it says it’s coming from. Even if the message claims to come from the CEO, school superintendent, or a valuable business client, employees and contractors must be encouraged to be skeptical and want a meeting or phone call to verify that a request is authentic in origin. Requests for money, link clicks, or sensitive information should always be scrutinized and verified before they’re acted upon.
Limit how much information your institution and employees share about your organization and who you work with online. This can be easier said than done because it’s a regular business practice these days to share that sort of information, especially through company-owned websites and LinkedIn. Some information sharing online cannot be avoided. But if it’s completely unnecessary to, for instance, share the name of the bank your school has an account with, don’t do it.
Finally, it’s a great idea to implement security monitoring software like PhishID into your school’s email servers and web proxies. PhishID is effective at detecting potential indications of phishing so your organization doesn’t succumb to those attacks. Point-of-Click prevention is an essential cybersecurity feature that can save your institution's sensitive data and applications.