Data Breach Risks from Spear Phishing

This post was written prior to our January 2017 merger, under our previous firm name, MacPherson Leslie & Tyerman LLP.

Avoiding data breaches is one of the most critical security issues for business, government, and not-for-profit organizations and one of the most common threats is spear phishing. Entities that tend to be the focus of these attacks include the health care and pharmaceutical sectors, parties involved in mergers and acquisitions – including the firms that provide M&A services (law firms, accounting firms, consulting firms, etc.), and businesses that provide services to large entities.

Phishing involves malicious actors trying to appear as trustworthy sources in order to get users to voluntarily provide sensitive information (e.g. login information) or download malware that extracts sensitive information. The less sophisticated phishing techniques tend to be bulk emails (or email spoofing) that includes a link to a webpage that looks familiar (e.g. like a social media login page). Users are invited to login using their user name and password which is received by the malicious actor or to download malware (your spam folder likely contains several of these types of messages).

Organizations with sensitive data are often targeted by a more sophisticated phishing technique called spear phishing. Spear phishing is distinct from phishing in its targeted and customized nature and usually involves research by the attacker. For example, a spear phishing email may appear to come from within an organization, perhaps from its IT department. Spear phishing, according to Verizon’s 2014 Data Breach Investigations Report, is one of the most commonly used tactics in cyber-espionage.

Spear phishing attacks are reportedly targeting large, publicly-traded entities and their service providers. For example, the recent data breach involving Target Corp., which resulted in data from approximately 40 million credit cards being exposed, started with a malware-based phishing attack on a HVAC firm that provided services to Target. Another example was reported by security company FireEye, which explained that a group of hackers has been using spear phishing and other tactics to gain access to email accounts of individuals that have access to sensitive information at publicly-traded companies and their professional services firms. The report concluded that the goal of these hackers was to get information relevant to the stock prices of the target organizations.

How to Defend Against Spear Phishing

Awareness is the first step and, if your organization is in a vulnerable sector or about to engage in an M&A transaction, it is the right time to review your policies and processes. There are technical measures available to prevent spear phishing, including network segmentation, spam filtering, regular patching, and monitoring the destination of outgoing data. However, in addition to technical measures, one of the most effective solutions can be an informed user. It is important to have policies, procedures, and training in place so that individuals in your organization that have access to confidential or private information are not easy targets for phishing scams.