Casting a net for spear phishers
- By Trudy Walsh
- Jul 22, 2008
Spear phishing is a targeted form of cyber crime whereby e-mail messages appear to come from a highly trusted source, such as someone in a position of authority in the recipient's own organization. Spear phishers use these messages to gain unauthorized access to corporate systems and confidential data.
"Spear phishing is a considerable danger as it is typically a non-random attack seeking specific confidential information," said Kenneth Tyminksi, former chief information security officer for Prudential Insurance. PhishMe software attempts to reduce these attacks through employee education, he said.
PhishMe software stages mock phishing exercises, collects metrics on user behavior and offers end user training on recognizing and handling spear phishing attacks, company representatives said. It lets organizations create a human firewall against spear phishing attacks through user awareness training, Intrepidus said.
Mass phishing campaigns are often caught by anti-spam or phishing filters, Intrepidus said. But spear phishing attacks, which are low volume and resemble legitimate e-mail messages, often go undetected.
Education is perhaps the chief weapon against spear phishing. As an experiment, New York's chief information security officer, William Pelgrin, sent mock phishing e-mail messages to about 10,000 New York state employees. The messages looked like official notices, asking the recipients to click on Web links and provide passwords and other personal information.
With the first run of the e-mail, 75 percent of the employees opened the e-mail, 17 percent followed the link and 15 percent entered data. Pelgrin let the employees know that it was a mock spear phishing e-mail. Then he followed up by sending out another fake e-mail. This time only 8 percent even opened it.More information
Trudy Walsh is a senior writer for GCN.