Spear-Phishing Test Nets a Catch
Robin Witty-Senior Product Marketing Manager
When spear-phishing, cybercriminals try to get sensitive data for fraudulent purposes from a specific organization by masquerading as a trusted sender in an email. Email hygiene security products (a must have!) catch the vast majority of email threats, including spear-phishing attempts.
Kelly Jackson Higgins of DarkReading succinctly lays out one case where email security wasn’t triggered. Here’s a short excerpt:
“Joshua Perrymon, CEO of PacketFocus, sent a spoofed LinkedIn email to users in different organizations who had agreed to participate in his test. He was able to get his spoofed message through 100 percent of the time and across a wide variety of major email products and services, including smartphone email tools.
... "I tested [this on] six different enterprise networks using the latest email security technology from most of the major vendors, and not a single one picked up on the spoofed email," Perrymon says.”
... The problem is that most anti-phishing technology is built to catch large-scale phishing attacks, but not the insidious and dangerous small, targeted ones.”
Having encryption software with authentication capability on the recipient’s computer or smartphone would help to ensure that companies don’t get caught in a similar spear-phishing net. Data remains protected and email is authenticated For example, here’s what an encrypted email using PGP® software would look like on a BlackBerry® or Windows® Mobile smartphone.
With the average cost of a data breach in the US at $6.6M per breach (per Ponemon Institute), preventative measures simply make good sense.