Spear phishing attacks are becoming increasingly common and more sophisticated. Because attacks can be cleverly tailored, traditional IT network defences alone are often not enough to detect and prevent them.
You can reduce the vulnerability of your organisation by working with employees to dispel the perception that, ‘if something gets through the firewall, it is probably genuine’. Your employees have an important role to play in protecting your organisation as a second line of defence, after technical measures.
Spear phishing is a targeted type of social engineering attack. An attacker gleans information about an individual which allows them to masquerade as a trusted source in an electronic communication. This may lead the individual to click on links, accept software updates or open attachments via email, social media messages or electronic popup messages. In doing so, the individual can unwittingly compromise sensitive information, provide access to organisational finances or facilitate technical attacks on company networks.
This joint NPSA and NCSC guidance contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques.
It outlines a multi-layered approach that can improve your resilience against phishing, whilst minimising disruption to user productivity. The mitigations suggested are also useful against other types of cyber attack, and will help your organisation become more resilient overall.
This guidance is aimed at technology, operations or security staff responsible for designing and implementing defences within for medium to large organisations. This includes staff responsible for phishing training.
The campaign is based on the principle that if you can increase awareness of the scam techniques that are often deployed, then employees will be less likely to fall for them. The campaign encourages the idea that employees have a role to play in keeping the organisation secure by not falling for, or being tricked by, spear phishing.
An important aim of this campaign is for employees to feel encouraged and supported in reporting suspected spear phishing attempts to their organisation – even if this is after they have clicked.
The campaign materials consist of the following:
For further information on the materials, to share feedback, or for editable versions (as Indesign files) please email [email protected].
You may find NPSA’s 5Es framework useful for planning and maximising the impact of your in-house behaviour change campaigns.
Spear phishing: Don’t take the bait
Most of us have probably been sent a phishing email before… [teeth crunching sounds]
Does this ring any bells? [sound of bell ringing]
randomemail @gmail.com
RE: You’ve Won!!!
Sir/Madam, [sound of keyboard typing]
Congratulations, you have won the lottery!
To claim your prize, please click on the link below and provide your details.
Click this link here
Many thanks,
Bla Bla Bla
[1] Phishing is when an attacker looks to exploit a user in order to bypass security measures.
[2] It’s pretty easy to spot, right?
[3] Spear phishing, however, is more sophisticated…
The phisher has done their homework.
The attack is targeted at YOU.
And it’s getting increasingly hard to spot.
[1] They may know the types of email you expect to receive…and when [sound of ticking clock]
[2] They may have researched you online to discover details about you [sinister laugh sounds]
[3] They can tailor messages to your interests
(mouse clicks on Compose email)
[email protected] mycompany.com
[email protected] almostmycompany.com
RE: Urgent! Update your HR profile
Dear Dave [sound of keyboard typing]
We’ve identified that your HR profile needs updating, please update this immediately to avoid any problems with your next month’s wage.
Click here to update:
www. very-strange-link.almostmycompany.com
The consequences of a spear phishing attack can be serious…
Financial impact, cyber attack, lost information
But it can be difficult…We live very busy lives.
When we’re in work mode, we often click things without even thinking…
1] How do you know when you’re being baited?
[2] Do you know the signs?
URGENCY!
Spear phishers use tight deadlines to distract you from the rest of the message… [sound of ticking clock]
Please respond ASAP or you will lose access to your IT support account.
www. itsupport.almostmycompany.com
AUTHORITY!
Spear phishers might pressure you to respond by: [pointing at a on logo email]
Pretending to be a senior executive
[pointing at the ‘from’ address, which is [email protected] almostmycompany.com] [sound of keyboard typing]
Pretending to be a trusted colleague
[pointing at [email protected] almostmycompany.com]
Pretending to a be trusted company
[image of blablabla logo]
MIMICRY!
Spear phishers might exploit your daily habits by sending the kind of email you would expect at a particular time.
End of month Invoices!
Supplier meeting!
Please review!
CURIOSITY!
“Welcome our newest recruit!”
“Breaking news from HR”
“Look at this cute cat!” [sound of cat miaowing]
“But what can I do?”
[1] Think before every click
[2] Verify the communication is genuine without replying
[3] Check with a colleague, seek advice
[4] Don’t panic if you do click and then become suspicious
We know it can be tough to spot {spooky noise]
Just make sure you ALWAYS…
Report it to IT.
Don’t take the bait.
NPSA [logo]