You have probably already heard of phishing – after all, it is everywhere, these days - from the good old-fashioned Nigerian prince email all the way through to the CRA phone scam (also known as voice-phishing or vishing). The scammers cast a huge, wide, net as far as they can, and wait to see if anyone bites. However, there is another, more-complex level of phishing, that you may not have heard of, called Spear Phishing.
Spear phishing is different in that they target a specific person – usually someone in a large company with access to valuable data or finances. Before they are contacted, the scammer will take the time to do some research on their intended victim, mostly online through social media accounts etc.
Using the personal information that they have gathered, they will then contact this intended victim, making their email as personal and legit looking as they can. It may be as an application to a job that they know they are recruiting for, or a faked email from a friend claiming to have a link to a new menu from a favourite restaurant. Of course, this link or document will contain a malware-infected link or document. Once clicked, the hacker either gains access to company data, or can plant a crypto-locker virus for ransoming.
Most spear phishing is aimed at mid-tier employees. However, there are a few brave spear-phishers who will sometimes target someone at the top of the company tree, like a CEO, CFO or senior manager. When this happens, it is called whaling.
So, how can you prevent this kind of phishing?
Education is a key one here. Making employees aware that this can happen will go a long way! Advise them to keep their social media content as private as possible (after all, that is as much for their own personal benefit as yours!).
Make sure all employees know what to look for in fake emails (such as poor spelling and grammar, or checking link addresses before clicking them by hovering the mouse pointer to see a pop-up box of the address. If you get a link claiming to be from a certain bank or company, open a browser window and go to the bank/company website directly and compare their actual address to the one you see on the email.
Limit data to the people who need it. If you keep data on shared drives, make sure sensitive data is housed on separate drives (eg a drive for Accounting only, a drive for customer lists only etc) and only give people access to the areas/drives they need to work.
Keep all software, anti-virus programs and firewalls up-to-date.
Back-up, back-up, back-up!! Back-up your data well and back-up often!!
If you are worried about your company’s potential vulnerabilities, give our team a call at 778-771-0184 or email firstname.lastname@example.org, and talk to us about scheduling a Tech Health Check-Up.