'Spear Phishing' Pokes at Enterprise Users

By Michael Hall | Oct 27, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/news/article.php/3559781/Spear-Phishing-Pokes-at-Enterprise-Users.htm

An e-mail security company says the incidence of very specific phishing attacks (define), so-called "spear phishing," is on the rise.

According to Greenview Data, spear phishing attacks tend to focus on a single user or department within an organization, addressed from someone within the company in a position of trust and requesting information such as login IDs and passwords. More traditional phishing attacks lack this specificity, targeting instead thousands or millions of users.

The company says spear phishing is as time-intensive as it is specific, requiring phishers to spend time studying the target company and its personnel to better pick their target. Typically, the company reports, such information is gathered through public databases, articles on corporate Web sites, so-called "social engineering" in the form of phone calls, and straightforward system cracking.

According to Greenview, once the spear phisher has managed to compromise a user, she installs software designed to gather confidential corporate data it sells to third parties or uses for identity theft or extortion.

"Some organizations," the company said, "are even going so far as to launch faux spear phishing attacks on their employees in order to evaluate reactions; offending employees are then coached in handling live spear phishing attacks."

"With spear phishing attacks growing in number, employees receiving seemingly legitimate email requesting sensitive data should validate the request with the sender," said Ted Green, CEO of SpamStopsHere, a division of Greenview Data. "More often than not, a potential corporate tragedy can be avoided by simply picking up the phone. Employee education is the most effective weapon in thwarting spear phishing attacks."