Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Identifying and Preventing Spear Phishing Attacks

Spear phishing

about the author

Share this post

Spear phishing is a serious threat to organisations worldwide, but this highly targeted phishing can be hard to prevent.

A report from security firm Ivanti highlights the success rate of spear phishing: almost three quarters (73%) of organisations told Ivanti that IT staff are targeted by spear phishing, and nearly half of the attempts (47%) are successful.

What Is Spear Phishing?

Spear phishing is a highly targeted form of phishing. A phishing campaign typically sends out a mass email to many people, but spear phishing campaigns focus on one or a few individuals; these individuals usually work for or are associated with a specific organisation.

Spear phishing often arrives in email but could also be phone phishing (Vishing) or mobile message phishing (SMShing).

Spear phishing uses advanced social engineering tactics to craft an effective spear phishing campaign based on gathered intelligence about a target. The information required to perfect a spear phishing email is collected using any means, including social media posts, company websites, hacked online accounts, etc.

Cybercriminals have even been known to strike up a relationship with their target via email or phone, gaining the employee’s trust and encouraging them to share personal or company details. Once the cybercriminal has enough information on a target, they create a personalised email that looks legitimate.

The goal of a spear phishing attempt is typically to steal login credentials. These credentials can then be used to gain access to a corporate network. The result of an employee’s social engineering is a malware infection, including ransomware, data theft, Business Email Compromise (BEC), and other forms of cyber attack.

While using multi-factor authentication (MFA) can help reduce the risk of an attack, it is no guarantee: a recent phishing campaign targeting Office 365 users was able to circumvent any MFA used by employees.

How Cybercriminals Use Spear Phishing Attacks

Cybercriminals use spear phishing to focus an attack on a specific company. These campaigns may target directly (an employee) or indirectly, i.e., focus on a supply chain vendor to attack an organisation higher up the supply chain.

Often, spear phishing attacks are part of a cycle of attacks where data, including passwords, are stolen; this leads to malware infection, further credential theft and stolen data. The process begins with an email, Vishing or SMShing. Spear phishing often involves high-level strategic planning, which may require several choreographed steps to achieve the hacker’s goal.

Examples of Spear Phishing Attacks

Spear Vishing: a spear phishing attack on Twitter in 2020 made the headlines when hackers managed to send tweets from several high-profile accounts, including Joe Biden, Barack Obama, Bill Gates, and Elon Musk. The Twitter attack centred around a phishing phone call (Vishing) to targeted employees until one of them gave the attackers the login credentials to in-house tools. These credentials were then used to escalate privileges to a higher level.

Spear phishing email: a spear phishing email impersonated the US Department of Labor (DoL) to target multiple organisations. The goal of the spoof email was to steal Office 365 login credentials. The email was based on cleverly disguised domains to make the email look like it was legitimately from the DoL.

In addition, the email pretended to be from a senior DoL employee inviting the recipient organisation to submit a bid for a government project. Clicking the “bid button” took the employee to a phishing site where Office 365 login credentials were then stolen.

How to Spot a Spear Phishing Email

These emails are notoriously difficult to spot simply because so much work has gone into their creation. However, there are some points to check that can help employees identify tell-tale signs.

  1. Often, spear phishing emails leverage positions of authority, e.g., IT support, to force an action by an employee, e.g., to enter a password into a spoof web page. Check the sender’s email address. It may look like the real one, but with some subtle differences.
  2. Does the email format match what you are used to? For example, if the email is supposedly from IT support, does the way it is written and formatted reflect previous emails from IT support?
  3. Does the email require the entry of too much data or information that seems unnecessary? For example, are you being asked to log in to a company cloud app after clicking a link in an email for no compelling reason – does it just seem suspicious?

Another low-tech thing that you can do to help prevent a spear phishing incident is to double-check with the supposed sender of the email: give them a call to check that the email really is from them.

Protecting Yourself from an Attack

Layers of protection are the best way to deal with the threat of spear phishing. Here are the top six ways to protect yourself and your company from an attack:

Don’t Overshare on Social Media

Cybercriminals gather the intelligence needed to create believable emails from many sources, including social media. So put a policy in place that explains the dangers of oversharing data on social media.

Don’t Click on Suspicious Links within Phishing Emails

This should become the mantra of all workplaces. Even if an employee does not follow through by entering credentials after clicking a malicious link, the hacker will likely have an audit of who has clicked and will continue to send out ever more sophisticated phishing emails to that organisation.

Use Robust Authentication

While it is not failproof, having robust authentication does help in a layered approach to phishing. Create strong, unique passwords and add in MFA where supported.

Never Share Sensitive Information Online

It goes without saying that sharing sensitive personal or corporate information should not be done publicly and online as it will be gathered and used to phish employees or associated supply chain vendors.

Be Cautious and Vigilant

Train all members of staff and associates on the tactics used by cybercriminals. Ensure that this training is performed regularly and use a simulated phishing platform to send out simulated phishing messages to employees most at risk.

Encourage Employees to Report Incidents

Once you have trained staff in ways to spot the tell-tale signs of phishing, encourage employees to report incidents. This helps to build cyber-resilience, maintain regulatory compliance, and offers the information needed to act quickly before an incident becomes a full-blown cyber attack.

Risk of ransomware

Other Articles on Cyber Security Awareness Training You Might Find Interesting