Most corporate network administrators are aware of the risks posed by mass phishing emails and take adequate steps to minimise them but spear phishing (or BEC: Business Email Compromise) is a different matter altogether and needs to be addressed as such.
The main difference between standard and spear phishing is the number of emails involved. Many spam filters identify suspicious emails by the sheer volume of similar messages being sent but in the case of spear phishing, when a single, customised email may be sent to an individual target, this method of detection is easily bypassed.
There are two main techniques employed by spear phishing perpetrators: the use of specially created lookalike email addresses and the spoofing of real addresses. In both cases, the recipients are easily fooled into believing that the messages they receive are genuine, from somebody that they would normally obey without question. Typically, the supposed sender is in a position of authority, such as the director of finance or the CEO, and the emails are sent just before the start of a national holiday, ensuring that the recipients find it harder to verify the authenticity of the messages they receive.
While checking with the sender may be a simple matter if they happen to be in the office when the messages are opened, this is not the case if the sender is on vacation. Faced with the choice of ignoring a direct order because the person who made it cannot be contacted, many employees simply take it for granted that the emails are genuine and follow their instructions to the letter. In the majority of cases, the instructions are in the form of a payment request ,either for bills submitted by fictitious contractors or wages owed to employees who do not really exist. The recipient is instructed to make an immediate payment into a local or overseas bank account and you can guess what happens when they do: the money disappears without trace.
More sophisticated anti spam software can be set up to look for new email addresses that are very similar to existing ones and flag them when they are found, making the task of spotting and neutralising a spear phishing attack somewhat easier to manage. However, those businesses that only have basic protection – or even worse, none – will have to rely on the ability of their employees to think for themselves and to question orders if they appear to be in the least bit suspicious.
Using a high quality spam filter is definitely the easiest approach but if your company does not wish to do this for some reason, it might be a good idea to encourage workers to question everything they are told and to reassure them that they will not be punished for doing so. As phishing attacks become more sophisticated, the human and software solutions we use to combat them must become equally sophisticated if they are to remain effective in the long run.