Spear phishing attacks are becoming increasingly common and more sophisticated. Because attacks can be cleverly tailored, traditional IT network defences alone are often not enough to detect and prevent them.
You can reduce the vulnerability of your organisation by working with employees to dispel the perception that, ‘if something gets through the firewall, it is probably genuine’. Your employees have an important role to play in protecting your organisation as a second line of defence, after technical measures.
What is spear phishing?
Spear phishing is a targeted type of social engineering attack. An attacker gleans information about an individual which allows them to masquerade as a trusted source in an electronic communication. This may lead the individual to click on links, accept software updates or open attachments via email, social media messages or electronic popup messages. In doing so, the individual can unwittingly compromise sensitive information, provide access to organisational finances or facilitate technical attacks on company networks.
Phishing Attacks: Defending Your Organisation
This joint CPNI and NCSC guidance contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques.
It outlines a multi-layered approach that can improve your resilience against phishing, whilst minimising disruption to user productivity. The mitigations suggested are also useful against other types of cyber attack, and will help your organisation become more resilient overall.
This guidance is aimed at technology, operations or security staff responsible for designing and implementing defences within for medium to large organisations. This includes staff responsible for phishing training.
CPNI ‘Don’t Take the Bait!’ campaign
The campaign is based on the principle that if you can increase awareness of the scam techniques that are often deployed, then employees will be less likely to fall for them. The campaign encourages the idea that employees have a role to play in keeping the organisation secure by not falling for, or being tricked by, spear phishing.
An important aim of this campaign is for employees to feel encouraged and supported in reporting suspected spear phishing attempts to their organisation – even if this is after they have clicked.
The campaign materials consist of the following:
- An introductory guide for organisations: to outline the threat and provide further details on how to run the campaign
- A guide for organisations on how to design phishing simulations: to test the susceptibility of your organisation to spear phishing
- 4 x posters to signpost an in-house campaign: phish, bait, trap, smarter
- 2 x posters to raise awareness of spear-phishing techniques:urgency, authority
- An animation (available below and on YouTube) to raise awareness of the influence techniques used by spear-phishers
- An infographic: to reinforce the messages delivered within the animation
- A quiz: to provide an opportunity to spot phishing attempts
For further information on the materials, to share feedback, or for editable versions (as Indesign files) please email [email protected].
You may find CPNI’s 5Es framework useful for planning and maximising the impact of your in-house behaviour change campaigns.