What is Spear Phishing?
Spear phishing is a highly targeted phishing attack, which is focused on a specific person or group of people. In these cases, a perpetrator, who is typically disguised as a trusted individual, deceives a target into clicking a spoofed link in an email, direct message, or text message. The target then unknowingly reveals sensitive information (such as login credentials). The victim may also install a malicious program (malware).
While this may seem easy to avoid, these scammers use social engineering tactics to lure users in. This might include mining and utilizing personal information such as their friends’ names, their hometown, or their employer’s names. They may also find information such as locations they frequent, or items they have recently bought online. Since these are such highly-targeted, unique attacks, spear phishing deserves special attention when formulating an email security strategy.
How Serious are Spear Phishing Attacks for Businesses?
According to the FBI, losses emanating from Business Email Compromise (BEC) scams surpassed $1.86 billion in 2020, which is more than the combined losses stemming from the next six costliest types of cybercrime. In addition, during the beginning of the COVID-19 pandemic, Zscaler found that the number of blocked suspicious messages targeting remote workers increased by 30,000%. Similarly speaking, the number of COVID-19-related spear phishing attacks also rose by 667%.
The Main Types of Spear Phishing Attacks
When it comes to spear phishing attacks, there are typically two general types: multi-phase attacks, and email spoofing attacks.
Multi-Phase Spear-Phishing Attacks
Step 1: Infiltration into a Business Email
Most multi-phase spear phishing attacks begin with a very personalized, subtle request, such as a link click that leads to a different site. People with lots of security awareness training would spot flaws that lead them to believe this request is a scam, however, the average employee may not. That’s why these attackers often go for easier, more susceptible targets, such as mid level employees in areas like sales, marketing, support, and operations.
Unfortunately, this link click, which is the first step in a multi-phase spear phishing attack, is aimed at stealing your user name and password. If multi-factor authentication is not enabled, then once the attacker gains control of these credentials, they can log in to the account. This is the first step: infiltration.
Step 2: Investigation of Company’s Processes
Once logged into an employee’s account, the spear phisher will usually monitor the account and read any email messages. This helps them to learn about the organization. This information may include who the decision-makers are, who has influence on financial transactions, who has access to HR information, and more. Additionally, it allows attackers to watch all interactions the organization has with other enterprises, like partners, customers, or vendors.
This knowledge is then utilized to perform the last step of the spear phishing attack.
Step 3: Extracting Value
After investigating and spying on the processes of a business, spear phishing attackers will then launch a targeted attack. As an example, they can send the company’s customers fake bank account information at the time the company is supposed to make a payment. Alternatively, they can trick other employees into sending confidential HR information, wiring money directly or getting them to click on links where they can collect even more credentials and information.
Since the email is coming from a legitimate, but compromised, business account, these emails will likely appear completely normal, and the information collected allows the attacker to perfectly mimic the senders’ signature, tone and even text style.
Email Spoofing Spear Phishing Attack
Step 1: Creating a Fake, But Similar Email Account
Email spoofers will first fake an email address by creating a similar-looking email account to a business. As an example, the attacker may create an email that looks like it comes from PayPal, or Microsoft.
Step 2: Sending an Email
After the fraudsters create a fake email account, they then send an email to a specific business department, such as accounting, sales or human resources, to request a transfer of funds or information. This email may contain a sense of urgency to get the employee to act quicker. As an example, the message may tell a user that their account will be suspended if they do not click on the link. If the user is tricked and types in their credentials, the attacker will now have credentials to authenticate the targeted user’s PayPal account, where they can potentially steal money from the user.
Step 3: The Employee Responds
After receiving the urgent email, the employee may respond, having only looked at the sender’s name – and not the spoofed email address. This may include a wire transfer sent to the scammer, or even potentially login credentials to important accounts, such as banking information.
Examples of Spear Phishing Attacks on Businesses
Scammers oftentimes take advantage of what’s going on in the present in order to create their phishing lures. As an example, the COVID-19 pandemic has prompted lots of schemes centering around government benefits, as well as job opportunities, and even hand sanitizer purchases.
Here are some examples of other successful spear phishing attacks.
1. A Recent Purchase
When it comes to large retailers, managing data is crucial. This is because if there is a leak, those individuals are easy targets for spear phishing attacks. Alternatively, if there are sellers on a retailer site, with a similar model to Amazon or Etsy, those accounts need to be contained in order to protect additional information. Unfortunately, this happened to Amazon in 2019, when their sellers’ accounts became compromised, and their revenue was funneled to the hacker’s accounts.
This could also happen on the buyer side of a purchase. An email from an online store about a recent purchase may be sent from a spoofed account. This email would then include a link to a login page where the scammer will plan to harvest your credentials.
2. Automated Bank Messages
Another way scammers may take advantage of users is via automated phone calls and text messages. These messages will state that your company’s bank account may have been compromised, and also mention a number that the user can call. Once the user calls that number, they are prompted to give their information to confirm that they are the account holder. After this information is confirmed, scammers will use this to get into businesses’ accounts and wire themselves money from said account.
3. A Deactivated Account / Verifying Account Activity
When scammers can collect a list of emails from the inside of a company, they can then use this list to send out mass emails that state the user’s account has been deactivated or is about to expire. They could also send an email to try and get users to “verify account activity”. Users will then prompt the user to click a link and provide their credentials.
4. Employee Handbook or Guides
Pretending to be a member of a specific company is the easiest way to get users to trust the email you are sending – especially at a larger company. One way to conduct a spear phishing campaign in this way is to send around attachments with a request for review, with titles such as “2021 Recruitment Plan” or “2021 Employee Handbook”. If an employee opens that email attachment, it can install malware on the computer, which gives the scammer remote access and the ability to steal sensitive data or launch follow-on attacks like BEC or ransomware.
Spear Phishing Mitigation
Since spear phishing attacks are highly-targeted in nature, they can be extremely difficult to detect. With that said, there are several risk prevention measures that can help, including the recommended items below.
Setting Up Two Factor Authentication
Two factor authentication helps you securely login to sensitive applications. It requires users to have two things: a password and username, as well as a smartphone code or cryptographic token. When this method is used, even a compromised password is of no use to an attacker without a physical device, which is held by the real user.
A password management policy, or a general password manager, can help you take steps to prevent employees from using corporate access passwords, accidentally, on fake external websites. An example of this is to instruct employees to always enter a fake password when trying to access a link provided via email. Legitimate websites will not accept a false password, but a phishing site most likely will.
Security Education Campaigns
At an enterprise level, organizations can raise awareness about security, by actively training employees, and highlighting the importance of learning how to spot, and hopefully stop spear phishing attacks. These training materials may feature real-life examples or simulated spear phishing attacks, with fake emails being sent out, as well as questions designed to test employee knowledge.
In addition to the items listed above, here are some more items to be aware of:
- Avoid clicking on links and attachments, especially if you do not know the sender
- Look out for red flags when it comes to sites that may be used for phishing scams
- Avoid sending personal information, especially login credentials
- Verify suspicious requests, you can do this by looking up the phone number online of the business in question
- Look out for fake emails, and always check the email address of the sender
Spear phishing emails are built to purposefully impersonate someone that your users trust – ultimately tricking them into sending credentials, money, or other personal information. Unfortunately, the sophistication of these unique types of attacks helps them to avoid overall detection.