Is Your Business Prepared for a Spearfishing Attack?

Have you taken steps to prevent a spearfishing attack from crumbling your business?

Are you prepared to respond if your business is hit by a spearfishing attack?

As businesses and their employees become savvier about phishing scams, hackers are increasingly turning their attention to spearfishing.  Your company probably receives phishing attacks on a daily basis.  These attacks are hackers’ attempts to illegally acquire sensitive information or data from your business and your employees.  The most common type involves e-mails from unknown sources that contain links to websites, which are infected with malware.  Hackers try to bait you into clicking on these links, so that the malware will contaminate your computer and your computer network.

Spearfishing is a more sophisticated version of phishing.  The difference between the two is that spearfishing attacks appear to come from a trusted source, such as a boss or coworker, and the attacks try to coerce you into providing a payment or sensitive information, such as intellectual property or customers’ credit card details.  Often times, the attacks will mimic the language and style used by the trusted source.  For example, if a boss sends you an e-mail telling you to pay a vendor, the spearfishing attack will have copied the same instructions, but ordered the payment to the hacker.

Businesses are experiencing more of these attacks.  Krebs on Security, a cyber security blog, reported recently on an Ohio manufacturing firm that had suffered a spearfishing attack.  An employee received a supposed-email from her boss, who was traveling abroad at the time.  The e-mail asked her to wire $315,000 to China to pay for raw materials.  Apparently, the boss had requested such transfers before, so it initially did not seem out of the ordinary.  The employee forwarded the e-mail to the finance department, who sent it on to the bank.  Fortunately, after reviewing the e-mail further and picking up on the formal tone, the employee realized that it was a scam, and the bank stopped the wire transfer.  This company got lucky; others haven’t been.  The FBI estimates that approximately $215 million has been stolen by cyber thieves over the previous 14 months.

So, what should you do to prevent a spearfishing attack?

• Set Protocols in Place:  Your company should have specific protocols so an employee is not tricked into conveying sensitive information and transferring money to an unknown source.  Employees should be able to verify any such requests, and there should be a multi-step verification process.
• Protect Your Sensitive Information:  If your company has information that it wants to keep secret, then don’t publicize it.  Don’t have employees sharing titles, positions, customers, or client requests on social media.  Hackers cannot use this information if they don’t have access to it.
  

What should you do if your company suffers a spearfishing attack?

• Contact a cyber security consultant:  You want to stop any bleeding as soon as possible.  A cyber security consultant should help you identify what has been stolen and how to remove the malware from your computers and network.
• Contact MacDonald Illig:  You have specific legal obligations if you suffer a data breach.  For example, state notification laws set forth steps that you need to take in response to a breach.  You will also want to minimize the potential liability.  We can help you with both aspects.
  

If you have specific questions about preventing and responding to a spearfishing attack or about cyber security in general, please contact our office at 814-870-7600 or complete this form on our website.