Spearphishing in focus: protective measures for companies and employees

What is spear phishing?

Spearphishing is a specific form of phishing that targets certain individuals or organisations. Spearphishing is distinguished by the following characteristics and methods:

• Targeted attacks
• Personalised messages
• Senders who appear to be trustworthy
• Goal: to steal sensitive information or install malware
• Complex preparation

Spearphishing therefore requires more effort and preparation than conventional phishing. But is worth the effort because the emails are more credible and more relevant to the victim. Telephone calls are also a popular way of trying to obtain confidential and sensitive information. This can also serve as preparation for a more targeted attack at a later date.

Why and how do we protect ourselves?

Protection is not only in the interests of the company, but also in the interests of our customers and the privacy of each individual member of the organisation. We are aware of this threat and therefore feel it is our responsibility to protect ourselves as best we can against spearphishing.

Unfortunately, there is no such thing as 100% protection. We regularly raise awareness to the issue  by posting examples of phishing attempts that we have identified on an internal chat channel. We also regularly attend training sessions to raise awareness, and sometimes set a (harmless) trap for our colleagues to learn from. We flag suspicious emails so that our email filter can continue to learn. In addition, telephone numbers that have been identified as phishing attempts are blocked centrally. To make it more difficult to obtain personal information, not all employees are listed on our website anymore. Ultimately, the best protection is probably a healthy dose of mistrust.

However, these measures are not always easy to implement. They do not always meet with the approval of all those involved or they require a certain amount of effort - but the effort involved in implementing these measures should not be shyed away. After all, the damage caused by a successful attack is likely to be many times greater.

The balancing act

Can you go too far with protection? It is indeed a balancing act for companies to position themselves as an attractive employer and at the same time protect themselves from potential attacks such as spearphishing, because:

• Transparency vs. security: to present themselves as an attractive employer, companies need to be transparent and share information about their employees and the working environment. However, this transparency can provide attackers with valuable information to use in targeted attacks.
• Accessibility vs. attack surface: A highly visible online presence that appeals to potential employees and customers increases accessibility. At the same time, it provides cybercriminals with more opportunities to gather information and launch attacks.
• Building trust vs. mistrust: A positive employer image requires building trust, which is often achieved through open communication and interaction. However, this openness can be exploited to make phishing messages more credible.
• Interaction vs. isolation: Employer branding thrives on active interaction with the public, whether through social media, events or other channels. These interactions provide many entry points for attackers to gather information and prepare phishing attacks.
• Recruiting vs. protective measures: To attract talent, organisations need to share details about their culture, employees and projects. However, this information can be the basis for personalised phishing attacks if it falls into the wrong hands.

Organisations need to carefully consider how much and what kind of information they share to remain attractive without compromising security. A targeted communications strategy and strong internal security measures are critical to maintaining this balance.