Home » Data Protection

11 tips to stop spear-phishing

From rewarding employees for savvy security smarts, to showing them how breaches are relevant to their every-day duties, Jason Clark, Chief Security and Strategy Officer with Websense, shares tips for handling spear-phishing threats

By Jason Clark, Websense

December 07, 2012 — CSO —

Most of us have clicked on an email that seemed legitimate, but wasn't. Let me give you an example. I previously sought to educate employees about email security by sending a sample of 140 employees a fake phishing email. The results were jaw-dropping.

Seventy-two percent opened the email. Of those, 85 percent clicked on the "malicious" link. Most concerning to me was that 65 percent gave their username and password —and that number would likely have been higher if word didnt get around about the fake email. Each employee who clicked on the malicious link received information about the dangers of malicious emails and how to identify them in the future.

[Phishing: The basics]

I've spoken with hundreds of CIOs and CISOs worldwide, and many of them have impressive email security programs. I've also heard how many of these top organizations are becoming very effective at protecting themselves from the risk of spear-phishing. Below are the top 11 tips I've heard for best technology practices, employee education and social media smarts.

3 ways to stop 95-99 percent of spear-phishing attempts:

1. Inbound email sandboxing:
Deploy a solution that checks the safety of an emailed link when a user clicks on it. This protects against a new phishing tactic that I've seen from cybercriminals. Bad guys send a brand new URL in an email to their targets to get through the organization's email security. The other tactic is when they inject malicious code into the website right after delivery of the email URL. This URL will get past any standard spam solution.

2. Real-time analysis and inspection of your web traffic:
First, stop malicious URLs from even getting to your users' corporate inboxes at your gateway. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear-phishing protection is unable to see the traffic. Bottom line: your web security gateway needs to be intelligent, analyze content in real time, and be 98 percent effective at stopping malware.

3. Employee behavior:
The human element is incredibly important. Many CSOs that I've spoken with are adopting employee testing programs with Phishme.com (Editor's note: Clark is on the executive board of *PhishMe Inc.), and do this training on-going basis. The result isn't really employee education or security awareness —it's behavior modification. See my five employee behavior tips below.

[Aggressive breed of phishing attacks underway]

• Print