Cybersecurity: From an afterthought to a strategic asset
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreSpear phishing is a form of phishing attack. But unlike most phishing emails that go out to hundreds or thousands of potential targets at the same time, spear phishing is highly targeted – leveraging very specific information about individuals or organisations to personalise the attack and make it more effective.
The personalised nature of spear phishing means that the details vary between attacks. But typically, it follows a step-by-step process that builds a bank of information and uses that to craft a targeted attack.
Whether they’re targeting an individual, or targeting an organisation via an individual employee, spear phishing attacks rely heavily on people who freely share personal and work information on social media platforms.
Attackers can access publicly available data that includes details about targets’ relationships, job roles, personal interests, and day-to-day activities. They also create fake profiles, populating them with posts and images so they look genuine, and using those profiles to build trust with the target.
And it’s that potential for building trust that really makes social media such a rich environment for spear phishing to thrive. It’s so effective that committed threat actors can launch long-term attacks; Evalda Rimasauskas for example, who used the spear phishing strategy to gain access to tech company Quanta from 2013 to 2015.
One of the major challenges organisations face in mitigating the risks of spear phishing on social media is that they have to respect employees’ freedom to express themselves online, and balance that with the security of the organisation.
Company social media policies can restrict the sharing of business information and encourage employees to separate their personal and work profiles but more awareness is needed to understand the signs and risks of spear phishing.
Training to support individuals in understanding and identifying spear phishing tactics is essential. Some organisations run simulated spear phishing exercises on social media to test and improve employees’ ability to detect and report suspicious behaviour. Education around how to verify the authenticity of social media accounts and communications before engaging with them can help minimise the risk of employees sharing information with malicious actors.
Ultimately, organisations have to tread the line between effective security and overstepping into employees’ personal lives. But as spear phishing continues to become more prevalent, it’s a necessary boundary to explore.
Discover the latest research into social engineering cybersecurity attacks at Black Hat MEA 2024.
Join the newsletter to receive the latest updates in your inbox.
New research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read MoreFind out why CISOs and investors are investing in AI-powered integrated cybersecurity platforms.
Read MoreCybersecurity education in schools could empower a new generation of skilled, engaged cybersecurity professionals, and solve the cyber workforce shortage.
Read More