Figures in a research paper conducted by Trend Micro indicates that 91% of cyber-attacks and subsequent data breaches began with a spear phishing email. In 2020, some 66% of organizations worldwide suffered a spear phishing attack.
What is Spear Phishing?
Spear phishing is a form of cyber-attack in which the perpetrator uses email or other messaging media to coax a desired response from a specific individual or organization. That response may be the revealing of sensitive personal or corporate data, the release of funds, the following of a link to a bogus website where the attacker can extract valuable information or install malicious software (malware) on the victim’s system, or the direct download of malware from a message attachment.
In a typical spear phishing attack, the perpetrator will have conducted some quite extensive research using Open Source Intelligence (OSINT) to gather relevant information on the potential victim, their associates, and dealings. OSINT may originate from corporate websites, social media accounts, search engines, and other publicly available data sources. This information, once gathered, is used to make the language, pitch, and premise of a spear phishing message appear more genuine.
There are also variants on this basic idea.
For example, in whale phishing or whaling, the intended victim is usually a top-level executive of a commercial organization. It is assumed that these individuals have a higher level of access to corporate networks, company funds, industrial secrets, and intellectual property. This type of attack is also referred to as CEO fraud.
In what is known as Business Email Compromise or BEC, information gathered on senior executives of an organization enables the perpetrators to effectively impersonate them in urgent messages to lower-level officials or employees. This can allow the attackers to order the urgent release of funds, the disclosure of corporate network access codes and credentials, and other valuable information.
Spear Phishing Targets:
As we have seen, spear phishing is a targeted form of attack, which can zero in on both individuals and corporate bodies. So attackers can draw their spear phishing targets from both customers and businesses.
At the individual or consumer level, cyber-criminals may set their sights on high spending customers of online catalogues or payment platforms, gleaning information on their recent purchases or transactions from a range of sources. They can then pose as an institution that the intended victim trusts, such as a credit card company, bank, or eCommerce provider.
In a typical attack on an individual, the spear phishing communication might be framed as an account verification exercise, delivery notification, or confirmation of a transaction. A link to a bogus website or infected attachment may unintentionally lead the victim to install malware on their system. Alternatively, the attackers may be looking to gather personal information that can assist them in committing fraud or identity theft.
For businesses and institutions, spear phishing will usually begin with an individual target, such as an employee with privileged access to payroll, inventory, or network access codes or a senior executive with access to higher-level corporate data and funding.
An objective of the attack may be to entice the individual to release confidential information or to authorize the release of payments on a bogus transaction. Alternatively, the attacker may use the person as a channel of access to the broader corporate network — either through the disclosure of access codes or by infection of their system with spyware.
Difference Between Spear Phishing VS Phishing
The main differentiator in the spear phishing vs phishing comparison is targeting. Whereas a spear phishing attack focuses on a particular individual or organization and has a specific objective in coaxing information or action from them, phishing is broad-based and hit or miss. Perpetrators of phishing scams will cast a wide net, sending messages out to hundreds or even thousands of potential victims at a time. Their assumption is that, even if only a small percentage of the recipients respond in the desired manner, they can still make substantial gains.
How Does Spear Phishing Work?
To a large extent, spear phishing depends on its success in human nature and psychology. People are naturally inclined to trust individuals and organizations with whom they have had previous dealings. They also tend to sit up and take notice when contacted by a figure of authority.
Spear phishing perpetrators understand this — which is why they go to such great lengths to acquire information relevant to their potential targets, such as their names, preferred nicknames, job positions, recent transactions, and frequently visited websites or online resources. Knowing this enables the attacker to craft messages that the victim will perceive as relevant and to impersonate a sender that their target is familiar with.
Posing as a senior authority figure or influential organization enables spear phishing attackers to create a greater sense of urgency in their requests for data or immediate action on the part of the recipient. Again, they can draw on the natural human tendency to act instinctively without thinking, in the presence of a crisis situation or an “act now, reap great benefits” scenario.
With growing success over the years, attacks have been increasing in sophistication to the extent that modern spear phishing campaigns can be extremely difficult to spot. There’s a large pool of Open Source Intelligence from which attackers can draw information to entice victims into believing their stories. And by the time the victim realizes that they’ve been fooled, they may have given out data that enables the attacker to commit fraud, obtain money, steal a victim’s identity, or even gain access to a corporate network.
How to Protect Yourself Against Spear Phishing?
If you want to know how to stop spear phishing, there are several precautions you can take to prevent a successful attack from occurring. They include:
Limit the amount of personal information you put out on the net. Much of the success in crafting effective spear phishing messages comes from the accuracy of data available on social media, company websites, and other sources. If you keep this information to a minimum, there’s less chance that an attacker can frame a message accurate enough to fool you.
Verify all urgent requests for information or action. Don’t trust the content of the message alone. Contact the sender (or rather, the person the sender is claiming to be) by phone, via Instant Messaging, or other channels, to confirm that they are actually the source of the request.
Use up to date security and anti-phishing software. This can help to block a proportion of the malicious messages circulating on the web. Some systems use Artificial Intelligence (AI) to detect signs of company or brand impersonation.
Have an organization-wide data protection policy. This should include data protection software and systems, plus user education on cybersecurity best practices.
This last point is particularly relevant for businesses and institutions. For organizations, what helps protect them from spear phishing? Cyber awareness. This extends from security awareness and best practices such as strong password management and not clicking on links or attachments in email messages to formalized training, incident response and reporting mechanisms, and attack simulation exercises.
What is a Spear Phishing Simulation?
A spear phishing simulation is a realistic but non-malicious attack staged by IT security professionals, intending to assess the vulnerability or resilience of an organization and its employees to spear phishing tactics. It may be considered a form of penetration testing (pentesting), or ethical hacking.
In a typical scenario, the attackers will assemble Open Source Intelligence (OSINT) of a type that would be readily accessible to hackers in the wild. Using this information, they will craft various messages as spear phishing lures for one or more members of the contracting organization. Their degree of success in landing their targets may be taken as a measure of the level of security awareness within the company or institution.
For organizations and their personnel, spear phishing simulations provide an educational and interactive real-time method of demonstrating how well prepared or otherwise they are for encountering and countering real spear phishing assaults.
The results of these exercises can demonstrate the extent to which personal and business data or intellectual property housed within an organization are vulnerable to threats and throw a light on how well-positioned the organization is regarding its regulatory compliance obligations or industry standards. The results can also indicate where interventions such as security awareness training, the installation of security software, and increased data protection methods are needed.
Consult an expert IT professional service if you’re worried about the dangers of spear phishing or would like to stage a simulation to test your corporate resilience. CG Technologies can work with you to educate your staff and help to protect you from cybersecurity threats. To find out more, get in touch with us.