And this can be a very big problem for individuals and companies targeted by spear phishers. It's pretty easy to avoid an email that says, "Dear Bank Costommer, please provide banc account numbder, social scurity and mother maiden name." It's much tougher to figure out that the email from Jane in the New York office--an email that looks just like every other email from Jane and has the same style and structure--isn't actually from Jane.
So what can be done to protect users and businesses against spear phishing? Unfortunately, the answers aren't simple.
Right now, the biggest defense is the fact that the attacks are targeted and require more effort and resources from the bad guys. With those requirements, the odds of any one company being targeted are much lower than with traditional shotgun and easily detected phishing attacks.
Another solution is improved access control and security mechanisms for company systems, both internal and software as a service (SaaS) systems. Use of a two-factor solution, whether it's a phone call or a biometric solution, can at least prevent users from logging into a system that looks like a legitimate company system but isn't.
User education will also help. While these spear phishing attacks are much more sophisticated than the typical message from a Nigerian prince, there may still be tell-tale signs that all is not well. These can range from slight mistakes in text to content on a spoofed site that is sized slightly differently to a site that takes much longer than normal to load.
If you are in a business that could be a target of bad guys, cultivating your suspicious nature can't hurt when it comes to dealing with spear phishing.
