- Deploy an email gateway or cloud based blocking service
- Create network topologies to block phishing emails and malicious urls.
- Create a social media policy and regularly check what information is being shared on the internet about your organisation.
- Minimise emails sent to customers that contain links
- Provide phishing awareness training to staff
- Create mechanisms for staff to report suspicious emails
- Complete a risk assessment to determine why you may be the target of a phishing campaign
- Put mitigations in place to minimise the impact of a successful phishing campaign against your organisation.
Phishing is a method of stealing confidential information by sending fraudulent messages to a victim. The messages often contain a link to a bogus website where victims are coaxed to enter personal details. Phishing emails appear to be from a known and trusted source and can be extremely convincing, but the links and attached files are designed to bypass security and access a network.
Spear phishing is a dangerous class of phishing, where criminals use social engineering to target specific companies and individuals using very realistic bait or messages, often resembling correspondence they would usually respond to.
People with a large amount of personal or corporate information online are easy targets. Adversaries use carefully tailored attempts to appeal to a target by using their personal and professional circumstances and social networks. In this way, targets of spear phishing emails are duped into opening malicious attachments and links.
Adversaries also make use of publicly available industry information such as annual reports, shareholder updates and media releases to craft spear phishing emails, and use sophisticated malware to evade detection.