With cloud backups, virtualization and SaaS, PaaS and IaaS being used with rightful abandon, online data security becomes urgent. But, the designers of these elaborate systems are in competition with hackers and phishing enthusiasts who seem to know all the tricks of the trade and are often one step ahead of the software engineers and security professionals in the business. Any number of legal mandates and security protocols do not seem to prevent the cybercriminals from gaining an upper hand. Gullible individuals can compromise enterprise networks by opening up emails that are purportedly from friends and contain links that make the phishing attack possible. A recent example of a spear phishing attack was reported by The New York Times. Chinese hackers successfully attacked the newspaper’s computers.
What is most alarming about spear phishing is that the targets are attacked for financial gains. The spear phishing vehicles—the emails– are often from a trusted source, such as the victim’s bank or from PayPal. Often the spear phishing criminal will turn out to be an employee from the victim enterprise.
In context, it is important to train employees, administrators and others within the organization to recognize the potential of the attack and be suspicious of mails that request for confidential information or personal data even if the sender is known to the receiver; the message contains clues as to its validity and there is some logic in the request.
Spear phishers may sometimes use the enterprise website or individual’s social online interactions to victimize. For instance, a spear phishing attack may be initiated after scanning social network sites, identifying the organization’s/ individual’s web page, email address, friends list and recent content of posts/messages/ blogs. The request may seem innocuous and the response will be used to create the spear phishing attack. Enterprises and individuals should take care to ensure that the secrets remain secrets. Important information about the enterprise or the individual must not be posted online at anytime.
Spear phishing attacks may also be initiated when patches, updates and security software is downloaded and installed on the user systems. Since most software companies release patches and upgrades, there is a tendency to trust the mail that prompts you to download the software. It is best to visit the website of the vendor and check out whether such a patch or upgrade has been released and is ready to be downloaded before you click that suspicious email. Patches and u[grades should then be downloaded directly from the vendor site.
The bottom line is that you have to be cautious. Extra care never harms anyone. Carelessness can breed losses.