There are many forms of phishing, smishing, vishing… you name it. But one of the most tried and true methods of phishing is spear phishing. In this piece, we’ll dive into what exactly qualifies as spear phishing and how security teams can effectively tackle this very targeted method of digital attack.
What Is Spear Phishing?
Spear phishing is a method of attack that involves targeting specific users with tailored phishing content under the guise of a known contact. The goal of a spear phishing attack is similar to the goal of any phishing attack: to gain access to internal networks, steal credentials or information, and/or infect devices with malware. What makes spear phishing so unique, and effective from an attacker’s perspective, is the specification of the attack. Attackers conduct in-depth research into targets in order to choose the perfect sender to spoof, message to send and associated call to action. Relying on a combination of platforms from email, social media, domains and more, spear phishing attacks are complex and effective, making them difficult to identify and thwart.
Spear Phishing vs Phishing: What’s the Difference?
Spear phishing is yet another tactic within the broader category of phishing attacks. What makes spear phishing different from traditional phishing attacks is the targeting. Phishing attacks tend to be broad in scale. Recent examples include phishing kits that target major corporations. As phishing attacks have evolved, many traditional phishing campaigns have been automated through the use of phishing kits and other mass campaign tactics.
Spear phishing, on the other hand, requires deep knowledge of the target and an added layer of reconnaissance. Attackers will choose one organization, or a group of individuals, to target with a tailored phishing campaign. Extensive research is done on the organization, often leveraging social media, corporate websites, press and other promotional materials to understand the organization’s structure, leadership team and other useful information. The goal of the attacker is to create a believable depiction of the organization or its top leaders to fool its customers and even its own employees to believe they are engaging with the legitimate sender.
What are the characteristics of spear phishing?
Spear phishing attacks are all about the target. As aforementioned, the attacker begins by conducting reconnaissance on the target organization or individual. Executives are highly targeted, as their influence and access to information is significant. Attacks targeting high-profile executives or other highly influential people are often referred to as whaling. Whaling attacks leverage the same tools and techniques as traditional spear phishing.
Typical spear phishing attacks involve social engineering, which relies on human psychology to trick unsuspecting users into believing they are engaging with a trusted sender. In most cases, a direct message is sent to a user, either through a spoofed email address or social media, under the name of a known individual, such as the CEO of the company. Spear phishing attacks usually involve a transaction, such as a request to send funds or personal information.
What makes these attacks so effective is their reliance on human error, psychology and specificity. Large scale phishing campaigns with multiple targets offer more opportunities for security teams to identify the attack. At the individual scale, however, IT teams are much more reliant on the user to recognize the attack. The increased sophistication of these attacks, through methods such as business email compromise, make spear phishing even harder to detect with traditional tools.
Example of a Spear Phishing Attack
While spear phishing can occur through email, social media or other means, one common example that has risen dramatically in recent years is business email compromise (BEC) attacks. Business email compromise involves the impersonation of a high-profile figure, such as an executive at the company. Attackers will leverage a CEO’s name to create a look-alike email address and send employees spear phishing emails with requests for wire transfer, sensitive data or to click on a link.
In the latest APWG Phishing Activity Trends Report, research found that 71% of BEC scammers requested funds in the form of gift cards in Q3 2020. The most commonly requested amount was roughly $1,205, substantial enough to incentivize scammers but small enough to potentially go undetected. Other requests included payroll diversions and direct bank transfers.
Why Companies Should Protect Against Spear Phishing Attacks
All security teams should be concerned with spear phishing due to its effectiveness in reaching critical targets within the organization. With thousands of emails and social media messages sent each day, it can be difficult to identify spear phishing attacks at scale, but a single attack can have lasting damage on an organization if sensitive information or significant funds are stolen.
One of the most important reasons for protecting against spear phishing is data security. Attackers use spear phishing to entice targets to click a link which can then distribute malware or give them access to internal systems or data. Some spear phishing attacks are used as means to steal credentials, particularly from high-profile individuals, which would allow access to sensitive data. Even prior to the attack itself, it’s important for security teams to understand what data is readily available about their organization and its employees online as this information serves as a resource for scammers looking for new targets. Ensure that any sensitive information is not shared publicly on social media or elsewhere on the web, including personal information, travel plans, credentials and more.
Financial Costs of Spear Phishing
As seen in the latest APWG report, most scammers ultimate goal is to siphon revenue from the targeted organization through gift card scams or direct bank transfers. Organizations whose employees frequently deal with transferring funds, such as financial services, should be especially careful of spear phishing attacks as they are prime targets. While the majority of gift card related attacks reported by APWG were in the $1,000 range, wire transfer requests remain much higher, with the average request of $48,000 in Q3 2020. For small to midsize companies, a single email-based attack could have lasting financial costs on the organization.
How to Defend Against Phishing Attacks
Because attackers rely on a combination of platforms for reconnaissance, attack planning and execution, it’s critical for security teams to have visibility across external platforms. Understanding your organization and its high-profile employees’ social media presence is critical since attackers often leverage public information on social media to build convincing profiles to conduct attacks. Multi-channel spear phishing can also include the creation of impersonating accounts on social media as another means of reaching target audiences. Quickly identifying and removing fake accounts is critical to stop the spread of a spear phishing campaign.
As spear phishing campaigns become more sophisticated, traditional email security methods such as blocking and deleting phishing emails will be insufficient and more sophisticated anti phishing software will be necessary. Rather than addressing phishing attacks at the individual email level, working with domain registrars and hosts to dismantle the infrastructure behind those email addresses not only stops the specific attack, but prevents future attacks from leveraging that same domain.
Whether you are looking to tackle email-based phishing attacks, phishing shared through social media posts and direct messages, or phishing sites and kits more broadly, ZeroFox offers comprehensive anti phishing software providing coverage and protection wherever phishing occurs.