According to a report released by Symantec early this year, 75% of businesses were cyber-attacked in 2009. Although the report covered general trends (see some statistics below), an article from the San Francisco Chronicle shed some light on how this might be happening; the answer is spear-phishing.
While the term “phishing” is probably a familiar one, spear-phishing may be new to most readers. As the name suggests, “spear-phishing” defines a more specialized phishing scheme (an attempt by a hacker to obtain confidential information about a user through fraudulent means). Spear-phishing targets a specific employee in order to gain access to a company’s information. As 2010 continues to question and define our notions of internet security, this is surely a technique about which we will increasingly hear.
With a multiplicity of social networks available to fill every niche, it’s conceivable that a cybercriminal (or anyone with a computer, really) could compose an entire snapshot of someone’s life: friends from Facebook, colleagues from LinkedIn, whereabouts from FourSquare, etc. As such, it’s not a huge leap to then have the ability to personalize a phishing scheme. Spear-phishing involves a lot more research than simply spamming hundreds of thousands of people, but the ends justify the means, as the tactic is far more effective. Targeted attacks yield results between 25 and 60% of the time, compared to less than 1% from traditional spam. Even worse, that one victim can put an entire corporation, university, or small business at risk.
Fortunately, spear-phishing attacks are scarce by the very nature of the scam—if they were commonplace, they wouldn’t be nearly as effective. The preventative measures remain the same as when dealing with any scam (keep your antivirus software up-to-date, double-check URLs before clicking, beware of unexpected or suspicious attachments), but stay extra cautious—remember, it’s not just your own internet security at risk.
Select statistics from the January 2010 survey of 2,100 CIOs and IT managers from 27 countries (reported in the London Times):
• Last year, 75% of businesses worldwide were exposed to a cyberattack
• 42% of businesses consider cybercrime their greatest threat
• A cyberattack costs a company $2 million