Spear phishing is a type of malicious email impersonation attack that targets a certain company or individual, with the goal of obtaining confidential information. Spear phishing assaults are more likely to be carried out by criminals seeking financial gain, trade secrets, or military intelligence.
Spear Phishing Definition
Spear phishing is a targeted form of phishing. Phishing in turn is a form of fraud involving a threat actor masquerading as a trusted entity with the aim of acquiring sensitive information from an unsuspecting victim. In the classic version of this attack, the target receives an email that seems to come from a reputable source, such as a major internet or technology company, and is urged to log in to the popular website of the alleged source, for which a URL is provided. Clicking on the URL directs the victim to a fake copy of the website in question. Any information the victim submits to that web page, such as login credentials or credit card information, is harvested by the attacker.
Phishing attacks can also be carried out through Instant Messaging (IM) or via SMS (“SMiShing”) and can involve malware, which is delivered on the target system when the victim opens a fraudulent URL provided in the message, or downloads a malicious attachment.
Whereas as phishing campaigns often involve the distribution generic messages to a host of addresses, threat actors engaged in spear phishing carefully choose each target (this can be an individual or an organization) and approach the latter with a tailored message, while impersonating an entity known to the victim. Spear phishing aimed at key employees and senior executives is called “Whaling”.
Spear phishing attacks can be very sophisticated, with the attacker using highly specific information relating to the target, obtained through comprehensive research, in order to deceive the victim. This type of attack therefore involves a combination of psychological manipulation, known as social engineering, and technological mimicry, known as spoofing, with email spoofing and website spoofing being most common.
Spear phishing is an infiltration technique, and is often followed by other cybercriminal actions targeting the victim organization, such as ransomware attacks and business email compromise (BEC) leading to wire transfer fraud.
Phishing vs Spear Phishing
Phishing and spear-phishing sound very similar, but there are multiple differences between these types of cyber attacks. These are both designed to acquire confidential information, however, the tactics used and the approach is very different. That’s why we are here to help you understand what is phishing and what is spear phishing, so you can have a better understanding of how to deal with them properly.
What is phishing?
Both of these attacks are sent via emails. In the case of phishing, these emails are sent to a very large number of people. Most of the time they are sent at random, and it’s expected that only a very small amount of people will reply to them. These emails will try to appear very official, and usually they require the recipient to either download something or click a link.
As you can imagine, that link is infected with malware, same with the downloadable file. Either that, or the link where the person is directed will ask for address, name, social security number and other personal information. All that info can be then sold on the black market, either for identity theft or fraud. That’s why phishing testing services are very important, because you want to be 100% sure any files or links used within your business are safe and ready to use.
How is spear phishing different?
Unlike phishing where the emails are sent at random, the spear phishing emails are designed from the ground up for a single recipient. Normally the spear phishing attackers will try to select a target within the organization and then send an email designed specifically for them. They either know the person very well and their vulnerability, or they are trying to attack a person without a lot of IT knowledge.
Once the email is sent, spear phishing works just like phishing. The person is expected to click on a malicious link or malicious attachments, and once they do, their personal information will be stolen. Malware enters their computer, and it can access all that info, not to mention it can spread to many other computers on the network. So a single spear phishing attack like this can be extremely powerful and very challenging at the same time.
Recent Developments in Spear Phishing
Phishing is almost as old as the modern internet, with the first reported cases dating back to the early 1990s. While spear phishing only became a recognizable phenomenon in the past decade, it has quickly risen to infamy and has been used in numerous campaigns, including some high profile attacks in recent years that resulted in businesses losing tens of millions of dollars to threat actors. In 2016, this threat even played a significant role in the US presidential election, as the string of data leaks that rocked the Clinton campaign was the result of various successful spear phishing scams.
Even though a spear phishing attack logically involves far fewer potential victims than untargeted phishing, spear phishing campaigns can still affect hundreds of organizations over an extended period of time. For instance, earlier this year the US Department of Justice accused nine Iranians of conducting a four-year long state-sponsored hacking campaign targeting hundreds of universities and dozens of private companies in the US and 21 other countries. The hackers used spear phishing emails to obtain access to 8,000 employee accounts and managed to steal intellectual property worth $3 billion.
How does spear phishing work?
In the case of a spear phishing attack, these emails will be sent to specific people within an organization. The attackers try and get as close to their target as possible and then send them an email that appears very official.
Spear-phishers typically gather as much data about their targets as possible before attempting to compromise them. They will research who is in charge of what projects or departments at their target company and they might even try to get in touch with someone who works at the same target organization so that when their scam is ready to go it seems more authentic.
The person is usually expected to click on either a malicious link or download a malicious attachment from this email in order for the malware or information to be stolen.
This is really dangerous because it can cause a lot of damage to one person, or an entire business.
While a spear phishing attack is usually less widespread than regular phishing emails, they still have the power to hurt many people and organizations at once!
Types of Spear Phishing
Spear phishing works the same as regular phishing. Someone is expected to click on a link or download something from an email, which will then give them access to personal information and/or malware that can spread throughout the network! Here are few
Targeted Spear Phishing
A targeted spear phishing attack could be against one person or an entire organization. The goal is to steal personal information, business data, gain unauthorized access, and/or infect computers with malware that can spread throughout the network!
A whaling attack involves targeting certain individuals within organizations in order to get sensitive data. These attackers may either know this person very well or they are trying their luck by sending a random email!
A vishing attack is similar to phishing, but instead of sending emails they actually call people. This is done by calling random phone numbers until someone picks up the phone!
CEO Fraud, a form of Business email compromise (BEC), is a kind of cybercrime in which victims are lured through social engineering. Social engineering is the use of situations and people to elicit information from targeted individuals. Spear phishers impersonate a senior manager - frequently the CEO - in order to induce a worker to make a payment. CEO Fraud is especially potent when employees are too nervous to double check with their superiors for its validity.
Spear Phishing Techniques
There are many different ways that spear phishing attacks can be made. One common way is to target specific individuals in organizations, which will allow the spear phishers to create very personalized messages for them. The emails will appear official and they may even have information about the person they’re targeting within it!
The people sending these kinds of spear phishing attacks are usually very smart and they know what will get their target to click on something or download information.
By sending this kind of email, people could be giving away personal information that can cause them harm in the future!
Another common way spear phishing is done involves targeting specific organizations instead of individuals. For example, if someone has access to a specific database, they may try and trick other people into installing malware or downloading information from it.
Like regular phishing emails, spear phishing techniques can be very hard to detect because the attackers will use false information in order for them to work properly!
The Risks for SMBs
A recent Webroot survey identified phishing as the main external threat to SMBs. Spear phishing is especially dangerous, as it is 1.7 times more effective than untargeted phishing when it comes to obtaining sensitive data from victims.
Small businesses are especially at risk for various reasons. For one thing, only 32% of SMBs carry out experiments to train their employees on how to recognize phishing and spear phishing emails. In addition, just 30% of SMBs have an IT security expert on the payroll to oversee network security and assist other employees in detecting spear phishing attacks. This is very worrisome, since 97% of employees cannot adequately distinguish a phishing or spear phishing email from a legitimate message, while spear phishing has become so sophisticated that 99% of network security systems are useless when it comes to detecting and blocking high quality spear phishing emails.
Spear phishing attacks actually threaten the very survival of SMBs since they can be very costly. It certainly doesn’t help that over 79% of small enterprises have no special insurance coverage for cybersecurity incidents.
A Disturbing Real World Example
In August of last year, the MacEwan University in Edmonton, Canada became the victim of a spear phishing attack resulting in wire transfer fraud. While the university is a sizable undertaking, this incident clearly demonstrates not only how threat actors can use spear phishing to infiltrate an organization, regardless of its size, but also how costly this can be for the targeted operation.
The attack started in June, when threat actors sent an email to the university’s accounts payable clerk, pretending to represent a local construction company, which was one of the institution’s largest suppliers. The employee recognized the logo of the vendor used in the email and deemed the contents perfectly mundane: the local firm was informing the university about a change in their bank account information.
Over the course of a number of weeks, the clerk and two other university employees corresponded with the threat actor via email to adjust the payment details for a number of scheduled payments. In august, the payments all went through and a total of $11.8 million, representing over five percent of the university’s budget, was paid to the bank account of the supplier. Business as usual, it seemed. In reality however, the money was sent to an account in Montreal controlled by the threat actors, who wired most of it to different accounts in Quebec and Hong Kong.
The university discovered the fraud four days after the final payment had been processed, when the actual construction company called to ask why it had not been paid yet. The duped institution then contacted the local authorities and a criminal investigation was launched. The university was lucky that law-enforcement officials managed to trace and freeze over $11.4 million of the funds, although it is still not clear how much money the university has actually managed to recover. In any case, the attack evidently lead the university to incur significant costs in the form of unrecovered funds, plus indirect expenses including legal and public relations fees as well as financial and other expenses related to the (attempted) recovery of lost funds.
Spear Phishing Simulations
An excellent way to both expose your employees to spear phishing and create good habits to help them avoid spear phishing is by running phishing simulations.
Phishing simulations measure employee susceptibility to spear phishing and other types of social engineering attacks. They also highlight where your organization is weakest in terms of information security.
Phishing simulations are a tried and tested way to educate employees about how spear phishing, whaling, or regular phishing works, what typical lures look like, and the consequences they can have for both individuals and businesses.
Another benefit of regular simulated attacks is that it helps to keep your employees on their toes and therefore more likely to spot a potential spear phishing email.
How to run a spear phishing simulation
Unlike standard phishing tests, spear phishing simulations use personal details of your staff to craft targeted attacks. With our phishing simulator, you can upload additional details about your employees, such as their department, manager, title, and more.
You can then use these personal details to craft a simulated spear phishing campaign, such as an email that looks like it's coming from your own staff, or as if a spear phisher used a spoofed URL that looks like your own.
These phishing tests will help your employees spot the flags in spear phishing attempts and avoid falling victim to a spear phishing scam.
How to Prevent Spear Phishing Attacks
In order to protect your business from spear phishing attacks, there are several things you can do and/or tell your IT security team or managed service provider about.
The best way to defend yourself is to ask yourself: “Does this email look like it’s from one of my contacts or someone I should trust?” If so, proceed with caution and try not click on any links or download anything that might be attached. If you are worried, call the person or company that may have sent it and ask them if they did in fact send this email. The IT department is also a great resource to help protect against spear phishing attacks!
Install a reliable anti-malware solution and keep all your software up to date
Proper patch management for your OS and other security software is an essential first step toward protecting your system from any kind of cyber threat. Ideally you should also invest in a professional security suite.
Use a secure email gateway
Secure email gateways (SEGs) provide advanced protection against spear phishing attacks by checking incoming messages for spam, evidence of email spoofing and impersonation attacks.
Organize or promote phishing awareness training and simulations
Phishing awareness training is a great way to educate employees about spear phishing. By regularly conducting phishing simulations, SMBs can assess to what extent employees are implementing the knowledge they have learned and if additional training is required.
Adopt multi-factor authentication (MFA)
While the majority of SMBs believe MFA is not suitable for them, it’s actually a great way for small businesses to prevent security breaches related to spear phishing by making sure that business accounts stay protected, even if a threat actor manages to obtain login credentials from an employee by means of spear phishing.
Verify odd messages, urgent requests and unexpected information
Be wary of emails and other digital messages from a seemingly trusted source containing odd language like spelling or grammar mistakes and phraseology that doesn’t match the sender’s character. Similarly, don’t let urgent requests, desperate pleas or threatening language prompt you to do something unusual. Instead, verify the message with the source, ideally in person or by means of a video or phone call. The same goes for messages containing unexpected and/or highly sensitive information, like an unannounced change in the sender’s billing information.
Never give up sensitive information
Legitimate organizations will never ask for login credentials or credit card information by email, text or IM. If you receive such a request, you are almost certainly dealing with a threat actor. Similarly, be wary of suspicious links embedded in an email or IM. Instead, access the site through your browser and look for its security certificate to ensure you are actually connecting to where it claims to go.
Apply a stringent vetting process for email attachments and links
Never open email attachments or click on images or Internet links in emails from unknown senders. When it comes to emails from (seemingly) familiar contacts or organizations, make sure to double check the email address of the sender, while ignoring the display name. Keep in mind that a legitimate address doesn’t mean the email is safe, as threat actors may have hacked into the account or spoofed the address. Generally avoid interacting with attachments, images and links that you are not expecting to receive and always hover over links with your cursor to verify the URL. You can then even type it into your browser and open the website manually.
Always scan email attachments for malware
Finally, share the tips from this report with your colleagues/business partners
Sharing information on spear phishing prevention with the people you work with, will help to keep your organization safe.
Spear Phishing in Summary
Spear phishing is an email-spoofing attack that targets specific individuals with the goal of obtaining confidential information. Spear phishing attempts are often successful because they can bypass spam filters and security solutions due to their targeted nature.
Users should be trained on how to identify spear phishing emails, avoid clicking links or opening attachments in suspicious messages, and always verify with the sender if something seems off.
Organizations should also deploy additional security measures, such as multi-factor authentication or sandboxing solutions for email services.