June, 8, 2021
Phishing, a type of cyber-attack in which a hacker disguises him- or herself as a trusted source online to acquire sensitive information, is very common and a simple scam that can put your employees and business at risk.
What’s worse, more resourceful criminals are resorting to a modified and more sophisticated technique called “spear phishing,” in which they use personal information to pose as colleagues or friends.
A spear phishing attack is often disguised as a message from a close friend or business partner and is more convincing than a normal phishing attempt; when messages contain personal information, they are much more difficult to identify as malicious.
For businesses, the potential risk of spear phishing is monumental. A report released by the Internet Crime Complaint Center (IC3) stated there were more than 120,000 cybercrime-related complaints against businesses last year, resulting more than $800 million lost. A large majority of these attacks can be attributed to spear phishing, since the messages are designed and customized to make victims feel safe and secure.
The Basics of Spear Phishing
Any personal information that is posted online can potentially be used as bait in a spear phishing attack. The more a criminal learns about a potential victim, the more trustworthy he or she will seem during an attack. Once the apparent source gains the victim’s trust, and there is information within the message that supports the message’s validity, the hacker will usually make a reasonable request, such as following a URL link, supplying usernames and/or passwords, or opening an attachment.
Even if spear phishing perpetrators target just one of your employees, it can put your entire business at risk.
Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. And, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.
How to Protect Your Business
Though it is difficult to completely avoid the risk that spear phishing attacks pose, there are ways to prevent further damage to yourself and your business. Make sure that your employees are aware of these simple techniques:
- Protect your computer by using security software. Set the software to update automatically so it can deal with any newly developed viruses.
- Use multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
- Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
- Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
- Never send financial or personal information electronically, even if you know the recipient well. It may be possible for a third party to intercept this information.
- Don’t click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
- Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.
What to Do If You Suspect a Spear Phishing Attack
If you believe that your business has been the target of a spear phishing attack, it is important to act quickly to limit your potential losses.
“The first step should be to immediately change the passwords of the compromised account–you use the same password on other websites, change those too,” said Lin Schwarz, Commercial Risk Specialist for Avery Insurance. “Next bring on the experts to pinpoint any vulnerabilities that remain in your business’ network and, if necessary, contact law enforcement.”
If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.
Cyber insurance can be essential in helping your company recover after a data breach, with costs that can include business disruption, revenue loss, equipment damages, legal fees, public relations expenses, forensic analysis and costs associated with legally mandated notifications. Contact Avery Insurance to discuss potential coverage options to protect your business.