A trustful nature is, under most circumstances, not a bad character trait to have. But to cybercriminals, a little too much trust — combined with a generous dose of curiosity and inattention — is just the crack they need to worm their way into your biotech firm’s data.
Recently, I wrote about phishing , one of the most widespread and effective techniques used by hackers today to steal data, infect networks, and disrupt business. In its most basic form, phishing casts a wide net in the hopes of reeling in a few gullible individuals among thousands.
But hackers have a much more precise — and potentially devastating — weapon in their arsenal: spear phishing.
What is Spear Phishing?
Spear phishing is an email phishing technique that uses personal information about the recipient to make it seem as if an email is from a trusted source: a friend, a colleague, a family member.
Here is how a spear phishing hacker might target one of your biotech firm’s team members:
- The hacker visits your firm’s “about us” page and notes the names and personal information of a few of your team members.
- The hacker heads over to LinkedIn, where he learns even more about your team members, eventually choosing one to focus on. Just by browsing your team member’s public profile, the hacker learns the names and organizations of some of his target’s most trusted professional contacts.
- The hacker sets up a spoof Gmail account, mirroring the trusted contact’s own email account closely enough so your team member doesn’t notice (something like “firstname.lastname@example.org” instead of “email@example.com”.)
- The hacker initiates an email conversation with your team member. His first email includes no links or attachments and mentions personal details. (“It was great seeing you at the conference last month!”)
- Once trust has been established over a few emails, the hacker sends over an Excel spreadsheet. “Hey, would you mind double-checking my data?” Intrigued, your team member opens the spreadsheet. Unfortunately, there is malware lurking in it.
How to Protect Your Biotech Firm from Spear Phishing
As I noted in my article on phishing, targeted attacks like these are both increasing in frequency and severity — especially against biotech and pharmaceutical firms. Such attacks not only endanger valuable and hard-won data, but they can lead to costly downtime, negative brand integrity or HIPAA violations, as well.
How can you prevent your employees from falling prey to spear phishing attacks? The usual anti-spam filters (while always a good idea to prevent other types of attack) aren’t always effective against spear phishing. That’s because many attacks begin without the usual hallmarks of spam: attachments, links, impersonal greetings.
Here are a few measures you can take, instead:
- Teach your team members to be suspicious of every link and every attachment they receive, regardless of the sender. Instruct them to look closely at every sender’s email address to make sure it matches the sender’s trusted corporate email address character-for-character. Have them look closely at URLs, as well, especially checking to make sure the first part (the domain) is legitimate.
- Have your team members scan their public social media profiles for anything that spear phishers might use against them. Walk them through the privacy settings on sites like LinkedIn and Facebook.
- Instruct your team members to never, ever reveal a password by email to anyone, including you.
- Look into cybersecurity solutions that specialize in preventing spear phishing attacks. (For example, I recently recommended Mimecast.) These products include features like intelligent email filtering, attachment sandboxing, and URL analysis. A trusted IT provider can help you choose and set up the anti-spear phishing tools you need to protect your biotech firm.
Are you worried about spear phishing?
How often does your team’s trusting nature keep you up at night with worries about spear phishing — and what do you do about it? Commiserate with other biotech professionals in the comments section below.