11 tips to stop spear-phishing

Most of us have clicked on an email that seemed legitimate, but wasn't. I am embarrassed to say it, but I recently clicked on a malicious link myself, and I should know better considering that I preach to people every day about the importance of protecting your organization against such tactic. But, the phishing email caught me at the wrong time when I was half paying attention to what I was doing, and it enticed me with right authentic looking message.

When we first started trying to educate employees about email security, I sent a sampling of 140 employees a fake phishing email. The results were jaw dropping; Seventy-two percent opened the email. Of those, 85 percent clicked on the "malicious" link. But the most concerning to me was that 65 percent gave their username and password --and that number would have been higher if word didnt get around about the fake email in social circles.

[Phishing: The basics]

Each employee, who clicked on the malicious link were then trained as we explained the dangers of malicious emails and how to catch them in the future.

Ive spoken with hundreds of CIOs and CISOs worldwide, and many of them have impressive programs. In those discussions I also got to hear how the top organizations are protecting themselves from the risk of spear phishing to a very high degree of effectiveness. Below are the top 11 tips I've heard for best technology practices, employee education and social media smarts.

3 ways to stop 95-99 percent of spear-phishing attempts:

1. Inbound email sandboxing:

Deploy a solution that checks the safety of an emailed link when a user clicks on it. This protects against a new phishing tactic that I've seen from cybercriminals. Bad guys send a brand new URL in an email to their targets to get through the organization's email security. The other tactic is when they inject malicious code into the website right after delivery of the email URL. This URL will get past any standard spam solution.

2. Real-time analysis and inspection of your web traffic:

First, stop malicious URLs from even getting to your users' corporate inboxes at your gateway. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear-phishing protection is unable to see the traffic. Bottom line: your web security gateway needs to be intelligent, analyze content in real time, and be 98 percent effective at stopping malware.

3. Employee behavior:

The human element is incredibly important. Many CSOs that I've spoken with are adopting employee testing programs with Phishme.com (Editor's note: Clark is on the executive board of *PhishMe Inc.), and do this training on-going basis. The result isn't really employee education or security awareness --it's behavior modification. See my five employee behavior tips below.

[Aggressive breed of phishing attacks underway]

5 ways you can modify employee behavior:

Employees are critical to your security success, spear-phishing defense and ability to prevent a data breach. Below are five ways you can turn them into security advocates.

1. Pen-test your organization:

One of the best ways people create new behaviors is by making a mistake and being corrected. It's time to put your black hat on. Select a group of folks from each major department and send them targeted spear-phishing emails using an outside email address. Use only information you can locate on their social media sites (Facebook, Twitter, LinkedIn, etc.). For example, you see they like a local sports team. Send them information about a local happy hour that supports the team. When they click on the link, inform them that they have been phished and communicate best practices in a positive way.

2. Ask marketing for help:

Start a partnership with marketing to help you communicate to your employees. Your marketing team specializes in communicating to different audiences to get them to take action. It's time to use their skills. Create a communication plan that both teams can execute against and track what methods are the most effective.

3.Change how your message is communicated:

Some people learn visually, others learn audibly and for many, it's a combination of both. Change how your security message is delivered to employees. Start with a monthly email, webinar and Intranet post. Switch it up with in-person trainings and videos. Using these different mediums will help your message resonate with more employees. Remember, you will need to communicate a message multiple times for it to stick.

4. Make security relevant to them:

Just asking employees to watch out for suspicious-looking emails doesn't drive home the urgency of spear-phishing. Rip it from the headlines. When a large company makes headlines for a data breach, because an employee opened an infected email, immediately communicate how something like that could happen to your employee base. It's well-timed, newsworthy and will be on your executives' radar.

5. Reward good behavior:

IT security is known for doom and gloom, but what if you change that perception? Start rewarding your employees for a "Catch of the Day." Start an internal contest that asks employees to forward suspicious emails they receive (both from their personal and work accounts). Pick your "Catch of the Week" every Friday, reward the employee with a $100 gift card to Starbucks, and publicize the spear-phishing attempt for other employees to see.

3 things to never post on the social web

Social networks are gold mines of personal information for cybercriminals, especially for targeted spear-phishing emails. Below are three things I don't recommend IT Security professionals discuss online.

1. Any birthdays/addresses/other items that are used for your network passwords:

Seriously, youd be surprised at what Ive seen.

2.Your vacation schedule and home photos:

It's like an advertisement for when you will be out of town, while doing reconnaissance for the criminals. You may not think you are a target, but cybercriminals are getting more sophisticated.

3. Don't ever post your phone number:

Cybercriminals are getting more creative. We have seen more and more criminals call targeted employees and ask for information. For example, some criminals call and pretend they are from their help desk and need to reset passwords. When in doubt, go with your gut. If something seems off or you don't know the person, ask for their contact information and look into it. Ultimately, its better to be safe than polite.

Spear-phishing isn't going anywhere. As long as people use social networks and email continues to be a key workplace communication channel, spear-phishing will be a weapon of choice for cybercrime. We will continue to see the bad guys evolve and spear phish through new mediums like Twitter, SMS. We must continue to work together as leaders in Infosec to share creative/successful was to protect our organizations.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FacebookInc.IT SecurityStarbucks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jason Clark

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts