Spear Phishing: What is it and How Can You Avoid it?
Table of Contents
- What Is Spear Phishing?
- How Criminals Research for Spear Phishing?
- What are the Biggest Spear Phishing Attacks?
- How To Spot the Signs of an Attack?
- Double Check the Sender’s Email Address
- Check the Contents of the Email
- Is the Sender Asking You for Personal Financial Information?
- Is There a Sense of Urgency in the Email?
- How To Protect Yourself?
- By Rita
- Apr 29, 2022
Spear phishing is unlike other forms of phishing. These cybercriminals collect personal information to create elaborate scams. This tactic makes it more likely for their targeted individuals to fall victim to it. Discover what spear phishing is and what helps protect you from spear phishing.
What Is Spear Phishing?
Spear phishing uses electronic communications - specifically email - to scam a targeted individual, business, or organization. This scam is typically done by cybercriminals or hackers. Their primary goal is to steal data for malicious purposes or install malware on the targeted user's computer.
The cyber attacker achieves their goal by assembling a seemingly authentic email and sending it to the targeted individual. They conduct pre-attack research on their victims regarding their company or personal life. This way, when their target sees the email is from someone they know, they automatically trust its contents.
Attackers gather information from multiple places to create a complete profile on their target. They research social media profiles, company websites, and public databases to make their messages appear legitimate and trustworthy.
Spear phishers pose as colleagues, business partners, doctors, or government authorities to lower the recipient’s guard further.
For example, an employee may receive an email from “Kim in Human Resources.” The email could instruct them to follow a link or download the attached file. However, upon following these instructions, they fall victim to these attacks.
Spear phishing has a higher success rate than other forms of phishing. This is because spear-phishing attacks are tailored to the individual and stay away from the most obvious red flags, rather than targeting a wide range of individuals. The time invested in researching each individual ensures a higher chance of success.
As its name implies, whale phishing is about bagging the "big game" within an organization. Attackers create complex spear phishing scams targeting a company's executive-level or higher-level personnel. The goal is to uncover secrets or access unauthorized funds that lower-level employees can't reach.
At its most ambitious level, whale phishing is also known as CEO Fraud or Business Email Compromise (BEC). Between 2013 and 2015, small and medium-sized businesses faced over $1 billion in damages due to CEO fraud, according to the Federal Bureau of Investigation.
How Criminals Research for Spear Phishing?
Criminals use a variety of methods to gather information for their attacks. The most basic spear phishing scams get by with just a few facts, while the more complicated attacks go as far as creating a fake company to fool their victim. Some of the most common research techniques include:
Analyzing Publicly Available Information
Open-Source Intelligence (OSINT) refers to any information available to the public. Sources like social media profiles, networking sites, and public databases can provide a lot of personal data and insight into a target's personality. Even things like an old high school newspaper can be valuable to a spear phisher. Criminals use OSINT to learn about an individual's responsibilities, past relationships, and other affiliations to personalize the attack.
Buying Breached Data
Data breaches expose the personal information of millions of individuals in one fell swoop. It's common to find someone's private email address and several passwords. Some companies lose data outlining customers' shopping preferences, purchase history, and other tracking metrics.
Cybercriminals purchase this leaked data to customize their emails. Additionally, if the spear phisher knows their target has been the victim of a recent breach, they may work the event into the attack by titling it something like "password reset."
Cybercriminals sometimes approach "insiders" within their target's social or professional circles. The attacker may bribe a coworker or trick a friend into revealing personal details. This allows the spear phisher to more accurately impersonate someone close to their target and create a more plausible pretext.
What are the Biggest Spear Phishing Attacks?
Phishing attacks aren't anything new, and they're not rare. However, not many criminals try to take on industry giants. While it's hard to pinpoint the most damaging spear phishing attack, some of the ones that made the largest waves include the following:
In 2019, Evaldas Rimsauskas was sentenced to 5 years in prison for attacking two of the biggest household names in the world. Rimsauskas and his partners impersonated Quanta Computer, an electronics manufacturer that frequently works with Google and Facebook.
He posed as the only member of Quanta Computer's board of directors while sending fake invoices, contracts, and other phishing emails to Facebook and Google employees. Rimsauskas researched and targeted only high-level employees that frequently performed multimillion-dollar deals.
The long-term attack managed to trick employees into wiring more than $120 million to foreign bank accounts.
The RSA Data Breach
In 2011, RSA experienced a data breach that cost the company $66.3 million. The attack targeted RSA's SecurID seeds which was a two-factor authentication system used on a global scale. Stealing the seeds would give hackers access to millions of devices and accounts. In response, RSA completely shut down its systems.
The attack started with phishing emails targeting two lower-level employees. The emails installed malware that broke into RSA's servers and dug up several administrators' login information. This gave the hackers unlimited access to nearly anything they wanted.
Operation Aurora refers to a collection of Chinese-driven cyberattacks on American companies in late 2009. Some of the biggest companies in the US were targeted, including Adobe, Symantec, Google, Morgan Stanley, and over twenty others.
Among the victims, Google was the only company to blame Chinese groups in a blog post publicly. Google also stated that it might close its Chinese offices if it couldn't continue with a completely uncensored version of its search engine in China.
One of the attack tactics was a "water hole" attack. This tactic researched company employees and learned what websites they used most frequently. Hackers then infect these sites with malware and invite specific employees to visit with dedicated phishing attacks.
Operation Aurora is a significant event in the world of cybersecurity by proving its importance in the fields of political and industrial warfare.
How To Spot the Signs of an Attack?
Spear phishing can be a problematic scam to identify at first glance. Thus, you must read your emails thoroughly. Now that you've learned what the spear-phishing definition is, here are some useful tips to help you recognize it before responding to emails.
Double Check the Sender’s Email Address
When launching spear-phishing attacks, the sender’s email address will always differ from the legitimate email address. The difference is always slight so that the receiver doesn’t notice.
For example, the fake email address may be firstname.lastname@example.org. In contrast, the actual email address is email@example.com. Search the email address in your browser or email history to ensure it’s legitimate.
Check the Contents of the Email
Some cybercriminals tend to make grammar and spelling mistakes in their emails. Of course, anyone can make mistakes. Still, it's essential to observe how the person they’re impersonating usually talks. This includes tone, structure, and signature.
Ask yourself if the tone and grammar are appropriate for the person, organization, or company it’s supposedly from. Check if the email content seems odd, inappropriate, or unusual. If it does, double-check with related contacts. However, do not check by responding to the email.
Is the Sender Asking You for Personal Financial Information?
Beware of emails asking for personal details. Some spear phishing attacks involve gaining access to your banking details. If the sender requests personal financial information, do not comply.
Be sure to double-check with someone else in the organization. Alternatively, you could contact the sender using another method of communication. Always be sure you can trust the sender before sending personal information. The sender may use this information to steal your money.
Is There a Sense of Urgency in the Email?
Most scammers will act as if the matter is urgent. These emails usually request help, money, financial information, or passwords. Sometimes they'll even urge you to follow a link within 24 hours. They’ll insist that if you do not, your account will be deactivated.
Scammers use these "urgency" tactics to make people too panicked to realize something is off. If they give the victims time to think it over, they will most likely figure things out. Ask yourself whether the request makes sense before taking any action. Additionally, you could double-check with a related contact.
How To Protect Yourself?
Anyone can become a victim of spear phishing. Its direct and personal approach makes it challenging to identify. However, it’s everyone’s responsibility to learn what helps protect them from phishing attacks.
It’s already hard to recognize spear phishing attacks. Sometimes cybercriminals do their job so well that we can’t comprehend that it’s a scam. Fortunately, there are other ways to protect yourself against these scams.
Have a Response Plan Ready
Protecting yourself and preventing spear phishing attacks is vital. However, it’s equally important to be prepared for the worst.
While most large businesses have dedicated cybersecurity teams, this isn’t always the case with medium- and small-sized organizations. This can confuse people on what to do during an emergency, and responsibility will fall to general management that lacks the knowledge to respond appropriately.
Create a designated team to act quickly and distribute their contact information to all employees. The faster a mistake is caught, the less time criminals have to do damage.
Think Before You Act
As mentioned before, be wary of emails imploring you to act immediately, asking for personal financial information, and offering deals that are too good to be true. Double-check the email address and ensure that you trust the sender before clicking on links and attachments.
Install and Update Security Software
Equip your computer with regularly updated anti-virus software, anti-spyware, firewalls, and email filters. These security systems will warn you about any potential threats to your device.
It’s best to use threat detection solutions with a focus on machine learning and artificial intelligence. This allows them to identify and block advanced phishing attempts without disrupting your workflow. These tools automatically analyze emails and messaging applications for malicious attachments or URLs.
Aside from this, updating your regular software will also be beneficial for you in this regard. This is because they contain critical patches that protect you against cybercriminals.
Beware of Hyperlinks
Avoid clicking on any hyperlinks in emails. Unless you are sure the sender is trustworthy, it may be a scam. Instead, type the URL directly into your address bar. You may also check the URL by hovering over the hyperlinked text. This will reveal the full address.
Use Stronger Authentication
Set up multi-factor authentication methods for your accounts. This will make it harder for scammers to access your personal information. For example, you could opt for a one-time PIN sent to your mobile device. Now, the cybercriminal would need more than a username and password to log in.
Make Your Passwords Long and Strong
Make your password as strong as possible. Combine capital and lowercase letters while adding numbers and symbols. This will make your accounts much more secure. Another important tip is to avoid using the same password for multiple accounts. This could make you vulnerable to security breaches.
Contact the Sender
Sometimes the scam is so elaborate that it's difficult to tell whether the email is trustworthy or not. You can try and find out by using a different method of communication before responding. Alternatively, you could check with a related contact. This may include a relevant contact within the supposed sender's company. You could even contact their customer service department.