Spear phishing takes it one step further. Instead of sending out a blanket email to millions of addresses in the hope that they'll get lucky, criminals will pick a handful of individuals within the company they want to target, and carefully tailor the message so that it is relevant to the recipient or uses emotions such as fear, reward and curiosity to get the recipient to react. 

In the highly publicized attack against security firm RSA, the spear phishers sent two different phishing emails to a group of employees over the course of a few days. The subject line simply read "2011 Recruitment Plan."

Just one person's interest was piqued and they were duped into opening the message and clicking on its attachment unleashing a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability. The rest, as they say, is history.

That's an example of a spear phishing attack against one specific organization, but whole sectors have also been targeted. Thirteen months ago it was confirmed that the chemical, defense and other sectors were hit with a spear phishing campaign designed to steal R&D and other information. Dubbed "Nitro", the attack's focus was information about chemical compounds and various advanced materials used by the military. In the end, nearly 100 computers were affected and the attacks could all be traced back to a phishing email campaign.

Why Are They Effective?

There are two key trends driving the increasing effectiveness of spear phishing campaigns.

1) Unfortunately we've been misled:

Many have been led to believe that spear phishing attacks can be thwarted with technical controls, such as anti-virus software, so less emphasis has been placed on educating users. However, as the publicized attacks proved, this trust has been misplaced. The end result is that many people don't expect to receive anything in their inbox that they shouldn't respond to so, when they do, they're unlikely to be suspicious.

2) Arguably some of the credit has to be given to the criminals:

Just as marketing works when it is targeted, the same is true for a scam email, and malicious individuals have realized this. Criminals will research, collect and cross reference information about an organization, and the individuals who work there, and then tailor a message that they'd expect to receive.

For example, in the Nitro attacks mentioned previously, when just a few emails were sent to an organization the message appeared to be a meeting invite from business partners.  When larger numbers were sent, they claimed to be a security update.

What Can Be Done?

Spear phishing attacks are performed by humans, against humans. For that reason, while software solutions exist, relying on technology alone is not enough. Instead, you need to employ a holistic approach – anti virus and filters that will remove more basic, generic attacks, combined with education that helps end users become sensitive to warning signs and understand the correct process they need to report suspicious emails.

There are a number of typical tell-tale signs, both in terms of the sender and the content, that could potentially characterise a phishing email and it's imperative that your workforce knows what to look for:

Sender

• Do they know the sender, and is it the email address they would expect them to use? An email purporting to be from your CEO but sent from a Gmail account should always ring alarm bells.
• Is the user expecting a message from the person? Would they usually encourage clicking on a link? And, if they are, do they seem genuine? For example, if you've not ordered anything then an email from UPS advising a shipment is being held at customs shouldn't really ring true.

Content

• The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user's emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.
• Is it too good to be true? If it says you've won an iPad in a company raffle and you haven't bought any tickets or the company doesn't even hold raffles, then the chances are you haven't.
• Users should consider if an email is specific to them? Does it make sense? Although criminals have a lot of information about individuals they will still keep any messages generic to pique the interest of the recipient and prompt them to take action.
• Perhaps it would be normal for your IT support company to request clicking a link to install a software update but, if it isn't, then alarm bells should ring. And, if it is a link, is it an IP address that you can identify or is someone trying to appear genuine but actually the link directs to a false site?
• And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.

While one of the points alone may not be conclusive, if an email ticks a number of these boxes then it should be treated with caution.

This brings me to the next element – procedures:

• Use an immersive training technique and send users a typical phishing email, and then provide anyone who falls for the scam with immediate feedback in the form of education. Conducting regular mock phishing exercises while varying the attack method, social engineering tactics (emotions) and themes will make users more aware and resilient to attacks that work on them.  After all, you don't learn to drive a car by reading a manual nor does everyone pass the test on their first go!
• Users need to be routinely reminded of the need for caution when clicking links or opening attachments. If they aren't sure that an email is genuine they should be encouraged to verify with the sender using another channel, such as phone or face-to-face, before opening it.
• Should a malicious email subvert your controls and land in a user's inbox, then users need to know what to do with it. Rather than just delete it, not least because it might not be legitimate, I would suggest it be forwarded to the person within the organization best placed to determine its authenticity. Once the message has been examined, the user should be informed of the outcome, and why, so they can learn from the experience moving forward.
• Share information with employees about the types of attack that have been received elsewhere in the organization so others don't fall foul
• Display examples of phishing emails on the organization's intranet so a suspect email can be checked against others previously received

Spear phishing is a targeted attack but it can be prevented. As an enterprise you need to ensure your users get the message, and change their habits, so that they not only identify a phishing attack, but know exactly what they should do about it.

By educating people, they will do the right thing when faced with a situation because they'll be conditioned to respond in a certain way. Otherwise you might find yourself impaled.

Scott Greaux is vice president, Product Management and Services, at PhishMe in Chantilly, Va.