How to Get Ahead of Spear Phishing

Dave Piscitello, Internet Security Skeptic | 4/8/2011 | 10 comments

Dave Piscitello
Recent breaches of personal data and email addresses managed by email providers such as Silverpop and Epsilon have renewed fears that spear phishing is becoming more common and more successful.

Spear phishing is not a new threat. The opportunities have been greatly amplified by the volumes of personal and corporate information individuals send; the outsourcing of email service to parties whose security competencies have been seriously undermined; and our continued willingness to blithely hand over whatever personal information is asked of us without exercising individual or corporate due care in determining how that information is protected.

Now, while we may forgive individuals for taking “we take measures to protect your data” at face value, we cannot excuse businesses, especially financials and globals, for being security-challenged.

The few resources that discuss spear phishing mitigation or prevention mostly remix basic phishing best-practices. At e-How and on my personal blog you’ll find recommendations such as these:

  • Don’t include too much personal information in your blog or social networking profile.
  • Use email whitelists.
  • Use antivirus and antispyware software and install all patches and updates issued for that software.
  • Don’t respond to mysterious messages that ask for personal information.
  • Don’t send personal information via email.

But businesses that contend with large numbers of users and large volumes of email need to raise the security bar, whether they outsource email or manage it in-house:

Implement awareness and training campaigns. Begin by explaining the principles behind the phisher’s most powerful weapon: social engineering. Explain what spear phishing is and the threat it poses to individuals and the organization. Consider hosting online quizzes for your employees. And check to see whether your awareness campaigns are effective or not.

Provide guidelines for your employees. Explain what personal information phishers seek and describe the tell-tale signs of a phishing message to employees. You may want to use my "Anatomy of a Phishing Expedition" article as a template or resource.

Publish a corporate policy. List business information that employees must take care not to disclose in blogs, social networks, tweets, or email correspondence. The list should include such information as organization charts, telephone directories and mailing lists, customer information, and, of course, all personal identity information your company manages. Consider explaining what social networking privacy controls are and how employees should set them to protect themselves and the organization.

Implement a phishing response plan. If spear phishing poses a significant risk to your organization, create a situational response position in your organization where employees can report suspicious URLs or attachments. Aggregate phish emails from these sources as well as from your antispam systems. Your staff may be able to deduce whether your organization is a target for attack by examining URLs or attachments in the aggregate. Work in cooperation with anti-phishing organizations (Spamhaus, SURBL, and others), which may be able to identify the nature and origins of the attack from this data.

If this seems like a lot of work, consider the alternative. Ask yourself whether Condé Nast might have avoided sending $8 million to a scammer over a period of six weeks if it had done a better job of raising spear-phishing awareness.

View Comments: Newest First | Oldest First | Threaded View
securityskeptic   How to Get Ahead of Spear Phishing   4/12/2011 11:09:33 AM
Re: The First Rule of the Intenet
In the drills you run, don't seek to name and shame. Don't make a public showing of anything but the aggregated results. Check with senior management and human resources and vetted the attack before you run it.

The responses to any deception will invariably evoke a range of emotions, from indignation to embarrassment to anger. Emulating actual phish campaigns wouldn't be effective if you did otherwise. Make clear to your employees or users that the goal here is to raise awareness and protect the organization (and individuals) from very real, daily threats.

Keep in mind that while users who routinely click on links, pay little attention to security advice or attempt to bypass them may not be "advanced" but they are "persistent threats".

User Ranking: Blogger
Broadway   How to Get Ahead of Spear Phishing   4/11/2011 9:41:59 PM
Re: The First Rule of the Intenet
@securityskeptic, interesting that you have done these phishing drills before. Given what @Technocrat brought up -- a good point about alienating/upsetting the drillees -- how did you address this issue?

I am of the mind that this risk is worth it. The other ways of teaching employees about phishing threats aren't better ... a class on the subject will be a snoozefest, and email reminders from IT about Internet viruses and email phishing scams could be taken as patronizing too.
Technocrat   How to Get Ahead of Spear Phishing   4/11/2011 12:49:42 PM
Re: The First Rule of the Intenet
@ Broadway  I see the merit in your idea, but I think the rank and file might be a little insulted by that method, even though it would be good to drive the point home.  The embarrassment factor should be considered, no one wants to be the "fool" at least not in the open, so perhaps a better method is monthly classes to show examples of phishing schemes and their effects, perhaps with constant reminders through classes and the occasional reminder via email from the IT dept. will lessen the potential risk of a phishing breach.  Just my thought.
securityskeptic   How to Get Ahead of Spear Phishing   4/11/2011 10:52:51 AM
Re: The First Rule of the Intenet
Glad you asked. I did mention phishing drills in my original copy. I've written about this before. What I'd said in my original copy was:

"Launch an internal spear phish campaign of your own to see whether your awareness campaigns are effective nor not."

Links to this article:

I have helped set these up and there are many variations to consider. It's very important that you contain the deception and take care to prevent leakage.

User Ranking: Blogger
Broadway   How to Get Ahead of Spear Phishing   4/10/2011 8:49:57 PM
Re: The First Rule of the Intenet
In terms of building awareness among employees, what do you think of a phishing "drill"? Companies have long had fire drills ... supposedly unannounced attempts to test employees' ability to quickly and quietly vacate the building for a fire. Why not sneak up on employees with mock phishing attacks. Then when they pass or fail the test, have someone come out and explain what happened and what they did right/wrong.
Technocrat   How to Get Ahead of Spear Phishing   4/9/2011 3:43:49 PM
Re: The First Rule of the Intenet

@ sechristiansen   I agree with your statements. sadly we will always be a step behind in this effort to secure and protect as the "human element"  will constantly distort our efforts to provide just that.


Sadly a losing battle for sure. 

securityskeptic   How to Get Ahead of Spear Phishing   4/9/2011 12:20:01 PM
Re: Defending against good Spear Fishermen
Very thoughtful and insightful post...

I chose the Conde Nast incident for my article precisely because it illustrates just how far scammers will go to make a social engineering attack work.

And while I agree that the future may hold more focused attacks, I don't think scammers will abandon the large volume spam/phish campaigns. The former will target "whales" but the latter will remain lucrative for scammers until we create sufficient deterrents and begin imposing serious sentences on the scammers we bring to trial and find guilty.
User Ranking: Blogger
securityskeptic   How to Get Ahead of Spear Phishing   4/9/2011 12:15:43 PM
Re: The First Rule of the Intenet
I can't argue that trust is wonting in the Internet today. I also can't argue that some people are particularly bad users. I've advocated admission controls for many years. Eventually, we must hold users responsible and accountable for how they act, especially if their actions are harmful to others. We have to re-think AUPs and put some teethe into them. When users shows no respect for their own private information and the sensitive information of their employer, perhaps we need some clearly defined carrots and sticks.

User Ranking: Blogger
EyeTee   How to Get Ahead of Spear Phishing   4/8/2011 4:18:20 PM
Defending against good Spear Fishermen
The Conde Nast scam is very interesting to me because it's somewhat similar to the most recent spear fishing attack I've encountered.

I think at this point, most savvy users and employees know enough about this type of thing to avoid sending their bank account info to the prince of Nigeria or fall victim to fake emails regarding their bank account or credit card.

But a scheme similar to the Conde Nast one is very difficult to defend against: if a person actually takes the time to impersonate either someone your company does business with or an organization that your company would like to do business with... the chance that their scam will succeed will rise dramatically.

Really, the Internet is a boon for skilled and creative con artists because in many cases you can conduct all your business virtually. In the case of that Conde Nast scheme, I doubt anyone on either side of that transaction even picked up a phone.

Perhaps the future of online scams are far more "focused" and customized: rather than spewing out millions of spam mails, hoping for a .01% response rate, perhaps they'll focus on a very small number of lucrative or obviously gullible/careless targets. This will be much more difficult to defend against.
sechristiansen   How to Get Ahead of Spear Phishing   4/8/2011 1:19:36 PM
The First Rule of the Intenet
The First Rule of the Internet - Don't trust the internet or anything that comes from it.  Yet we still seem to be enticed to take a bite of the apple.

Topics like security education keep coming up once a year or  so, but no one seems to pay attention or learn.  To them, computers are things that should do things for them and they don't have time to learn about security because their jobs are too important.  You can bathe yourself in controls but in the end, there are just some people things you cant fix.


The blogs and comments posted on do not reflect the views of TechWeb,, or its sponsors., TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Dave Piscitello
Dave Piscitello   8/18/2011   9 comments
We've witnessed a steady stream of attacks against corporate, government, military, and controversial targets. The victims continue to conduct postmortems to assess damage and mitigate ...
Dave Piscitello   8/2/2011   8 comments
In my last blog, "Phishers Are Casting Nets for Your Domain Names & DNS," I explained that even though security experts routinely warn Internet users to watch out for email notices from ...
Dave Piscitello   7/26/2011   19 comments
We all know how traditional phishing works, where email is sent to users in an attempt to steal login or credit card information. But there is another, less known attack that is becoming ...
Dave Piscitello   5/20/2011   9 comments
Yesterday, in Top 10 Advanced Persistent Threats, Part 1, I shared the observation that attacks used by Advanced Persistent Threat (APT) intruders are not that different from those used by ...
Dave Piscitello   5/19/2011   9 comments
The cyber version of Advanced Persistent Threats (APTs) shares many of the characteristics we attribute to spy wars: continual surveillance of and intelligence gathering on a particular ...
Latest Archived Broadcast
We talk with Bernard Golden about accelerating application delivery in the cloud.
On-demand Video with Chat
Register for this video discussion to learn how tablets can provide true business usability and productivity.
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
Dell's Efficiency Modeling Tool
The major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise.

Read the full report
The State of Enterprise Efficiency in the Virtual Era: Virtualization – Smart Approaches to Maximize Gains
Virtualization is a presence in nearly all enterprise data centers. But not all companies are using it to its best effect. Learn the common characteristics of success, what barriers companies face, and how to get the most from your efforts.

Read the full report
Informed CIO: Dollars & Sense: Virtual Desktop Infrastructure
Cut through the VDI hype and get the full picture -- including ROI and the impact on your Data Center -- to make an informed decision about your virtual desktop infrastructure deployments.

Read the full report
A Video Case Study – Translational Genomics Research Institute
e2 Video

On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments

The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments

TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments

Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments

IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments

TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments

TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments

The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments

The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Tom Nolle
The Big Reason to Use Office

3|18|14   |   02:24   |   46 comments

Office and personal productivity tools come in a first-class and coach flavor set, but what makes the difference is primarily little things that most users won't encounter. What's the big issue in using something other than Office, and can you get around it?
E2 Editors
SPONSORED: Mobile Security — A Use Case

3|4|14   |   04:27   |   16 comments

New mobile security solutions can accommodate a wide array of needs, including those of a complex university environment.
Tom Nolle
Killing Net Neutrality Might Save You Money

1|16|14   |   2:13   |   16 comments

The DC Court of Appeals voided most of the Neutrality Order, and whatever it might mean for the Internet overall, it might mean better and cheaper Internet VPNs for businesses.
Tom Nolle
The Internet of Everythinguseful

1|10|14   |   2:18   |   19 comments

We really don't want an "Internet of Everything" but even building an Internet of Everythinguseful means setting some ground rules to insure there's value in the process and that costs and risks are minimized.
Tom Nolle
Maturing Google Chrome

12|30|13   |   2.18   |   25 comments

Google's Chrome OS has a lot of potential value and a lot of recent press, but it still needs something to make it more than a thin client. It needs cloud integration, it needs extended APIs via web services, and it needs to suck it up and support a hard drive.
Sara Peters
No More Cookie-Cutter IT

12|23|13   |   03.58   |   21 comments

Creating the right combination of technology, people, and processes for your IT organization is a lot like baking Christmas cookies.
Sara Peters
Smart Wigs Not a Smart Idea

12|5|13   |   3:01   |   46 comments

Sony is seeking a patent for wigs that contain computing devices.
Tom Nolle
Cloud in the Wild

12|4|13   |   02:23   |   15 comments

On a recent African trip I saw examples of the value of the cloud in developing nations, for educational and community development programs. We could build on this, but not only in developing economies, because these same programs are often under-supported even in first-world countries.
E2 Editors
SPONSORED: Is Malware Evading Your IPS?

11|18|13   |   03:16   |   4 comments

Intrusion prevention software is supposed to detect and block malware intrusions, but clever malware authors can evade your IPS in these five main ways.
Sara Peters
Where Have All the Mentors Gone?

9|27|13   |   3:15   |   38 comments

A good professional mentor can change your life for the better... but where do you find one?
Tom Nolle
SDN Wars & You Could Win

9|17|13   |   2:10   |   5 comments

VMware's debate with Cisco on SDN might finally create a fusion between an SDN view that's all about software and another that's all about network equipment. That would be good for every enterprise considering the cloud and SDN.
Ivan Schneider
The Future of the Smart Watch

9|12|13   |   3:19   |   39 comments

Wearing a bulky, oversized watch is good training for the next phase in wristwatches: the Internet-enabled, connected watch. Why the smartphone-tethered connected watch makes sense, plus Ivan demos an entirely new concept for the "smart watch."
Tom Nolle
Cutting Your Cloud Storage Costs

9|4|13   |   2:06   |   3 comments

Cloud storage costs are determined primarily by the rate at which files are changed and the possibility of concurrent access/update. If you can structure your storage use to optimize these factors you can cut costs, perhaps to zero.
Sara Peters
Do CIOs Need an IT Background?

8|29|13   |   2:11   |   23 comments

Most of the CIOs interviewed in the How to Become a CIO series did not start their careers as IT professionals. So is an IT background essential?
Ivan Schneider
The Internet Loves Birthdays

8|27|13   |   3:25   |   69 comments

The Internet has evolved into a machine for drumming up a chorus of "Happy Birthday" messages, from family, friends, friends of friends who you added on Facebook, random people that you circled on G+, and increasingly, automated bots. Enough already.