EY: Don’t take spear phishing for granted

 Spear-phishing has grown increasingly sophisticated in the past years that compSpear phishing may be a well-known security risk in the corporate world, but companies are well advised not to take it granted.

This was one of the key takeaways during the interview session this Tuesday with Jeremy Pizzala, Asia Pacific Cybersecurity Leader, EY at The Pan Asian Regulatory Summit held in Grand Hyatt Hong Kong.

“The primary concerns around phishing and customer data security are actually two sides of the same coin,” Pizzala said in reaction to the interactive online poll taken among the delegates during the session.

The delegates on the floor put cyber risk to customer data as the number one security concern at 38%, with phishing and malware ranking second at 24%.

The two-day summit organized by Thomson Reuters was attended by members of the banking and financial industries, regulators and representatives from industry associations.

“A sophisticated phishing attack will entice employees in an organization to click on that link or download an innocuous-looking file, but once that is done, then the malware or the malicious payload can start grabbing customer data,” Pizzala said.

He noted the increasing sophistication of spear phishing, an advanced form of phishing that is targeted and personalized to a specific individual.

One of the challenges in combatting spear-phishing is the proliferation of information that can be accessed through the social media networks such as Facebook and LinkedIn.

“All the information you put there seem innocuous to you but malicious attackers can piece the information into a holistic piece of a puzzle. They can use all the information to construct a really credible email that will entice you to click on it and download a malware to steal not only customer data but other pertinent corporate information,” said Pizzala, adding some spear-phishing campaigns intercept the victim’s email messages to get hold of sensitive information such as private M&A negotiations which they could monetize later on.

The act of spear-phishing may sound simple, but spear-phishing emails have improved within the past few years and are now extremely difficult to detect without prior knowledge on spear-phishing protection.

Spear-phishing attackers target victims who put personal information on the internet. They might view individual profiles while scanning a social networking site. From a profile, they will be able to find a person’s email address, friends list, geographic location, and any posts about new gadgets that were recently purchased. With all of this information, the attacker would be able to act as a familiar entity and send a convincing but fraudulent message to their target.