Here’s why: it still works. Even though security awareness training and a constant stream of worrisome new stories may be improving the average employee’s click-through rate in run-of-the-mill phishing emails, social engineers still know just how to pinpoint the areas that will lower even a seasoned email user’s defenses. That’s just what spearphishing is: targeted attacks that are hand-crafted to startle or scare an employee into making a bad decision—usually clicking an embedded link that routes to a fraudulent website prepared to collect personal information.
According to Symantec, two of the most common words in last year’s string of emails were “order” and “payment.” In our experience, words like “benefits,” “payroll,” “cancelled,” and “dropped” also do the trick.
Spearphishing in Action
Here’s a good example we used in one legitimate phishing test for a customer. What would you do if you got this email? It seems pretty urgent…
If you’d been one of a number of employees who clicked the embedded link, you'd have been routed to a fake website designed to capture your login information.
Here’s the hard truth: most savvy email users have become conditioned to ignore the most common phishing scams: the Nigerian bank scam, the eBay attack, and the free iPad scam. But just as we become conditioned, social engineers become smarter and more resourceful, and there has been a recent increase in spearphishing emails that appear to be from employers.
Phishing Emails and Social Engineers Getting More Sophisticated
Even more concerning: “While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better.” The article goes on to say that these more sophisticated and carefully orchestrated attacks led to a 62% increase in the number of data breaches, compared to 2012.
Don’t be the key to a mega breach. Remember: every unexpected or sketchy email deserves a second look, even if it looks like legitimate communication from your supervisor, Human Resources personnel, or whoever manages your 401K. Ask before you click.
Need spearphishing training for your employees? Look no further. It's one of our most popular courses.
More About Spearphishing