How to protect from corporate spear phishing

Phishing emails try to trick you into logging into an online account. The email masquerades as being from a genuine source and if you recognize it as a system that you use, you might be tempted to follow a link in the email and try to log in.

Phishing is a trick that hackers use to reap login credentials from members of the general public – that log-in screen that the email link leads to is fake and you are just typing your username and password into the hacker’s database. They will be raiding your account shortly.

Spear phishing is a variation on password gathering scams that is aimed at corporations. While phishing emails get sent out in bulk to users who may or may not have accounts at the imitated system, spear phishing is targeted and requires a lot more research and actual interaction from the hacker.

What is Spear Phishing?

Spear phishing has the aim of getting access to a corporate system. A hacker might use one target simply as a way through to another. With each exploratory spear phishing email, the hacker gets closer and closer to gaining control of a user account that has real power.

The hacker needs information about the business, such as what software it uses or what the names of systems administrators or senior management are. They might even want to get examples of emails sent by key personnel so that they can imitate them.

There are two options for a hacker that implements spear phishing. One is to get access credentials to a system, the other, which is also known as “whaling,” is to impersonate a senior manager in order to give convincing instructions to an assistant to implement certain actions, such as transferring money or disclosing sensitive data.

Even the most insignificant employee in an organization can be a useful assistant to a hacker. Any information that the hacker can glean about a business will help. For example, it is a good start to just get an email from someone on the corporate system because that gives the hacker the standard format for emails used within the business. With a template in place, the hacker can move forward with a convincing email to someone more important.

The problems of spear phishing

Spear phishing presents a very severe challenge to IT security. By hijacking legitimate accounts or directing unsuspecting users to perform damaging acts, the hacker circumvents every conventional step that system administrators use to block out intruders.

The result of a successful spear phishing campaign is very similar to an insider threat. In fact, when malicious activity is identified on an authorized account, security and HR staff will need to determine whether the employee associated with that account is behaving badly or has been duped.

The targets of hackers that gain access to systems through spear phishing aren’t only money and data. Your system itself can be a useful resource. Hackers have been known to use business networks and their servers to create an underground VPN service that protects hacker identities while attacking other systems. Company servers have also been used by hackers to mine cryptocurrency, which is expensive on resources and will ramp up your business’s electricity bill.

There are a number of measures that can be taken in order to combat spear phishing and none guarantee 100 percent protection from attack. There are email management systems available that have ramped up their spam filters to include spear phishing detection. These systems mostly rely on an industry-circulated blacklist that provides a feed of IP addresses and domains that have been discovered to be the home systems of spear phishing ventures.

Countermeasures against spear phishing

There are three categories of measures that you can take in order to reduce the potential damage of spear phishing. All of these regard how you handle authorized users on the system:

  1. Educate users
  2. Restrict users
  3. Suspect users

Unfortunately, spear phishing gets hackers a valid user account on the system or it gets valid users working for hackers. Therefore, you can’t be too trusting about authorized users anymore.

Educate users

User education is probably the biggest way to prevent spear phishing, all other measures are attempts at damage limitation. Make users aware of typical tricks that spear phishers use, such as buying domain names that are close to the company’s own, impersonating colleagues, customers, or suppliers, and making tempting offers.

Just to back up user awareness with technology, implement DMARC (Domain-based Message Authentication, Reporting & Conformance) in your spam filter to block emails with spoofed source addresses.

The business should put into effect working practices that prevent one person from being able to take a potentially damaging action without authorization. Another measure that would be useful is the requirement for a telephone conversation before taking action because that will cut down the success rate of impersonation pranks.

Restrict users

Implement 2FA on account access procedures. This should be tied to some physical device or proof, such as a phone text message, a local code generator, or a thumbprint scan. As spear phishing hackers are usually far away, they won’t have access to these devices – if they do, they are an insider threat and not a spear phishing threat. The use of 2FA is probably the best defense against hijacked accounts.

The other major step you can take is to review your access rights management strategy and tighten up the system tools and data types that each user group can access and create more granular groups.

Abandoned accounts are very commonly used by hackers to gain access. Any account that shows no activity should be suspended or deleted.

Although renewing passwords regularly used to be thought to be a good account security measure, this is no longer ranked as a good idea. The reason for that is that it forces users to rely on straightforward, memorable passwords, cycle between two passwords, and use the same password everywhere. It is a better idea to introduce password generators that produce long and complicated passwords that would be impossible to remember and very difficult to type out error-free. This strategy would need to be partnered with a password locker.

Measures that can be taken to tighten up the system against hapless actions performed with emails include blocking download attachments or creating a sandbox for isolated viewing. This would prevent attacks that can be embedded in images or PDFs. Get a subscription to a website blocker as well that inspects web pages before a user opens it in a browser. Such systems work largely on a blacklist system and will prevent attempts by hackers to implement fileless malware buried in a web page that is led to by a link in a phishing email.

Look into the activity of employees with removable storage. Are there any valid work scenarios that would merit a worker copying data onto a USB? If there are, make them use a specific device for copying or request that the IT department makes the copy, which can only be performed following managerial approval.

Restrict the ability of users to attach files to outgoing emails. Again, make sure that only certain users can send such emails and implement a system that centralizes email sending to restrict and track file distribution. Emails should be restricted in size as well to prevent a user from copying data into the body of the email.

Suspect users

Review your intrusion detection system or SIEM and check whether it is any good at detecting insider threats. Security systems that look for unusual activity that is outside of the normal pattern of each user’s activity will identify hijacked accounts, tricked users, and malicious insiders alike.

Pay particularly close attention to the activities of accounts with heightened privileges. This, naturally, includes IT department user accounts. However, also watch accounts that have access to sensitive data or have approvals to make payments.

It should go without saying that you should keep your system security tight because that will block intruders as well as compromised accounts. Make sure you apply all patches as soon as possible and perform monthly vulnerability scans.

You still need a firewall and endpoint protection software.

Encrypt all company data, at rest and during transfers even within the company’s premises. Get the managed service providers that you use to give you a pledge of legal liability to data leaks in the contract or move to another supplier.

All activity across the internet should be doubly guarded. You need to strengthen your edge services, such as load balancers and CDNs as a matter of course – although these are not specifically avenues used by spear phishers.

Systems to protect against spear phishing

If you’re wondering where to go in order to protect your system against spear phishing, we have some suggestions.

Our methodology for selecting spear phishing protection systems

We assessed the needs of business for protection against spear phishing and came up with good examples of systems that would be of help, using the following criteria:

  • A system to filter out suspicious email origins
  • A system to centralize email traffic and file distribution to assist control and tracking
  • A system to monitor peripheral devices
  • A service that will detect hijacked accounts
  • A tool to improve access rights management
  • Software and services that include free trial periods for assessment
  • Value for money in all tools

The truth is, you will need a combination of tools to fully protect your system against the damage that spear phishing can cause.

Here are the tools we identified as good against spear phishing: (FREE TRIAL)

  • offers a central point for files that are being distributed and also those that are under development by teams. The service scans all outgoing emails for attachments and removes them, uploading them to the server and embedding a link in the email instead. This cloud-based system is offered on a 7-day free trial.

See Best Secure File Transfer Software for more file transfer security options.

ManageEngine Log360 (FREE TRIAL)

  • ManageEngine Log360 is a large package of SIEM, DLP, activity tracking, and file integrity monitoring. This is the type of package you need to prevent a duped employee from performing damaging actions and also identify account takeovers. This system is a full Security Operation Center package and it runs on Windows Server. Get it on s 30-day free trial.

To see a review of software packages for Security Operations Centers, see The Best SOC Software Tools.


  • Zerospam is a competent, cloud-based email filter that includes procedures for detecting phishing attempts. This service prevents malicious emails of all types from even getting onto your servers and is available for a 30-day freetrial.

For more information about email filters, see Best Anti-Spam Software Tools.

ManageEngine Device Control Plus

For more data loss prevention system suggestions, take a look at Best Data Loss Prevention Software Tools.

SolarWinds Security Event Manager

Our Insider Threat Detection Guide: Mitigation Strategies & Tools will help you build a strategy against compromised accounts and duped users as well as disgruntled employees.

SolarWinds Access Rights Manager

  • SolarWinds Access Rights Manager is an interface to Active Directory that includes analysis services to tighten up groups and account management. This system can implement extensive user account usage analysis. The software for the Access Rights Manager installs on Windows Server and it is available for a 30-day free trial.

You can read about more user account management solutions in Best Access Rights Management Software Tools.

Syxsense Secure

  • In the category of general system security against attack, consider Syxsense Secure. This is a combination of a vulnerability scanner and a patch manager. This is a cloud-based service and it is available for a 14-day free trial.

You can get more information about vulnerability scanners in The Best Network Vulnerability Scanners Tested.