Organized crime is targeting medium and large businesses using a well-honed attack that can penetrate the defenses of most businesses. Called “spear phishing,” it involves targeting one or two people within the company and then sending them a well-crafted email with links or attachments that then download malware into the company. The number of attacks is increasing dramatically.

In March, MessageLabs Ltd. said it had intercepted 716 messages from 249 attacks last month targeting 216 customers. MessageLabs says this compares to two attacks per day on average last year and two attacks per week two years ago.

The attack method typically uses MS Office documents, but may also involve links to fake websites that appear to be real. One attack focused on the new executive of a large company for whom a press release had been written.

The executive received an email purportedly from the company’s travel agency asking him to click on a link and log in to the agency’s website where he would provide his personal profile for approval. The executive clicked on the link and found the website containing all sorts of personal information about him (which had been pulled from the internet). The executive then clicked a button to sync his Outlook mail calendar with the travel agency. The executive was unaware that it was a website run by criminals and that he had just downloaded malware at his company.

Other attacks use realistic MS Office document attachments that, when opened, silently load malware into the company, or the computer crashes and when restarted, the malware sneaks into the company.

What can companies do to protect their executives and themselves from this form of attack? Use heuristic intrusion detection systems and train your executives.

Companies should use new software that doesn’t rely on malware signatures for verification. This is how most common antivirus products work. They have a list of “bad guys” whose code is recognized as malware. Then the incoming code is assigned to the list. If it’s not there, then the code is passed. This no longer works.

Criminals now change their code so fast that there can be thousands of variations in malware produced daily. Therefore, heuristic technology that analyzes the effects malware is trying to cause on business systems has come into play. Still in its infancy, this is the future for malware detection. But it doesn’t work all the time.

The challenge with relying solely on intrusion detection systems is that malware can often go undetected. Criminals are developing new malware every day that is designed to slip under the intrusion detection radar screen. This technology does not detect some types of rootkits and other attacks. So while companies should use this as the first line of defense, they shouldn’t rely on it 100%.

That’s where training comes in. 77% of malware attacks start when the user clicks on a link or opens an attachment in unexpected messages. By educating your executives not to click on unexpected document links or open email attachments, even if the email appears to be from a fellow executive, then you can mitigate business risk.

Here’s what a new free 3-minute anti-malware security training program, “Training in a Flash,” offers. It can be played in over 90% of the world’s browsers using Adobe Flash. In just 3 minutes, users can quickly learn how to avoid phishing and pharming attacks.

Conclusion for companies:

1. Make sure you are using an up-to-date intrusion detection system using heuristics.

2. Train your executives to “think before they click.”

If you don’t, you may end up on the sharp end of a successful spear phishing attack.