The spear-phishing and corporate violations e-mail (BEC) are two of the most common and damaging attacks recent years. 2018 is American businesses lost $ 1,3 billion. Successful attacks and huge pay raises hackers and give them an incentive to improve their phishing attacks and expand their campaigns.
Microsoft has reported that hackers carry out advanced spear-phishing attacks extremely targeted. That's why he named them 'laser' phishing.
Usually, attackers send emails to employees companies and mimic the CEO or other senior executive. This way they cheat the employees and entice them to open files that contain malware software or force them to send large sums of money to accounts controlled by hackers.
Microsoft noted that the the percentage of phishing emails doubled in one year. In September of 2018 the percentage was 0,31%, while in September of 2019 0,62%.
The key weapon that attackers use to successfully launch phishing attacks is the open-source intelligence or OSINT.
Many of the spear-phishing campaigns are extremely clever and can even fool computer experts. Dianna Kelley, head of security Microsoft products cited the example of an employer looking for desperate IT employees:
"The hiring manager publishes the jobs on the company's social media and asks for people. A few days later he receives one e-mail by a candidate. The manager opens the attached CV and infects his computer with malware programs, without understanding it. He has just been deceived by a spear phisher ".
Attackers usually target, employees working in corporate finance departments and are authorized to transfer large sums of money. Then they choose the company executives they will represent, using information from their social media.
"People are willing to respond quickly when their bosses email them and ask for something - especially if they say it's urgent," Kelley explains.
For example, companies could train their employees, to recognize phishing emails and offer tools that mimic real spear-phishing attacks, which create a sense of urgency or use language that evokes sympathy or fear. In this way, the employees will practice and become familiar with phishing emails. So when faced with a real spear-phishing attack, they will be able to recognize it.
Furthermore, employees should be encouraged to discuss phishing emails with their co-workers and report any incidents so that they can be dealt with immediately and the rest of the victim's experiences learned.
Finally, one of the most important measures security is the use of two-factor authentication, which according to Microsoft excludes 99,9% of automated attacks.