What is Spear Phishing?

Phishing attacks continue to grow in sophistication and frequency. Cyber criminals are getting more successful in their malicious attempts. Phishing, including spear phishing attacks, remains the no. 1 attack gateway to gain access to consumer data and corporate networks.

Most cyberattacks start with phishing

Did you know that 91% of cyber attacks start with a phishing email? Phishing protection firm Cofense conducted a study on phishing attacks among 23 industries around the globe. They wanted to find the state of the phishing trade. They sent millions of simulated phishing emails to millions of employees. These are the findings:

• • 87% of employees opened the simulated phishing emails on the same day they received them.
  • Most employees opened their emails in the morning.
  • 67% of employees are likely to open another phishing email.
  • To be effective, most phishing emails contain a business communication theme.

• Behavioral conditioning or phishing training can decrease employees’ vulnerability to malicious emails.

The study reveals that unstable emotions is a major cause of employee vulnerability to phishing. Employees should be the guardians of the security system of the company. Yet, they can also be potential vectors for phishing.

The study concludes that education and training can reduce phishing susceptibility. These programs can also improve employee attitude and enhance detection rates.

McAfee Total Protection

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

What are spear phishing attacks?

Here’s a simple spear phishing definition. Spear phishing is a targeted cyber attack on specific individuals or members of an organization. Its primary goal is to steal sensitive information for malicious purposes. It is usually done through emails, social media, and other online platforms.

Phishing vs. spear phishing vs. whaling

There’s a thin line between phishing, spear phishing, and whaling. When you go fishing out into the sea, you cast a net. The net catches every sea creature that comes into its web. They may include fish, shellfish, reptiles, sea turtles and other marine creatures.

In much the same way, phishing is the casting of a wide net of emails to broad and random targets. It involves the mass distribution of emails without targeting individual victims.

The main aim of phishing is to harvest personal information like login credentials. Phishing work involves baiting recipients into clicking a malicious link or file. The link may be a sham website of well known brand, such as Apple, Microsoft, Google, Amazon, and other popular brands.

Identity Protection - McAfee Total Protection

Buy Now

We earn a commission if you make a purchase, at no additional cost to you.

A phisher can send a phishing email to you prompting you to log in to your bank account to update your credentials. If you’re not vigilant enough, chances are you will respond and click on the supplied link. This will redirect you to a hacker’s fake website that looks and feels like your bank’s website. At the fake website, the hacker can steal your login and other sensitive information. He or she can use your information for nefarious activities or sell them on the dark web.

Spear phishing has the same goal as phishing. But it aims for specific targets from whom spear phishers want something in particular. Before they send the emails, spear phishers do a background check on you and pretend to know you.

They use social engineering to manipulate you to share confidential information. Their  emails look like they come from a friend or trusted source. These emails look urgent or work-related. They also offer a great deal you can’t refuse so that you take action as instructed. Remember, spear phishers want something specific for you to do.

Consider this scenario. A spear phisher goes to LinkedIn and looks for you there. He finds that you are friends with your CEO, Bob Hup, and that you have a new project. You later receive an email request from your CEO, requesting you to wire $50,000 to a contractor for your project.

The email comes from a certain bobhup11@gmail.com account. If you are not paying close attention, you might send the wire transfer. The email comes from a fake gmail account created by the hacker. Take time to check because your boss uses his company email bob-hup@abc.com for work-related messaging.

The above example represents whaling. Also called CEO fraud scams, whaling attacks use social engineering techniques. Whalers apply highly targeted attacks to the mid-tier employees in the company. They tempt them to take action based on the belief a superior or executive requested it. Hackers use social engineering techniques to condition the minds of lower-level officers to obey higher-level executives.

Other forms of spear phishing

Spear phishing comes in different forms, depending on the platform used to execute the attack and who it’s aimed at.

Smishing

Smishing is a form of spear phishing attack using text or SMS (Short Message Service). Smishing activities operate in the same way as email phishing. The SMS seems to come from a legitimate source, such as a trusted brand, but contains malicious links that steal sensitive information.

Vishing

Vishing is also known as voice phishing. Hackers use phone calls to relay automated messages. The calls seem to come from authentic institutions like a bank or a government agency. The spear phisher may inform you that your credit card has suspicious activity. Or that you owe a big amount of money to the tax department. Or that your car insurance has expired. They then offer help to remedy the problem. They may ask you to provide them your login information or gather information relevant to your account.

Clone phishing

Clone phishing is an email spear phishing attack. The clone phisher resends a copy of an original email you have received before. The hacker replaces the original attachments and links with malicious ones. The attacker uses an alibi, such as issues with the original attachments and links.

Social media phishing

Attackers use social media sites like Facebook, Instagram, and Twitter to launch their spear phishing works. Hackers create fake accounts of a well-known brand’s customer service. They can also impersonate friends of their victims. The hackers prompt their victims to follow a link and input their credentials. If the victims fall for the trap, the hackers will have a chance to steal personal details on their bank accounts and other confidential information.

Pharming

Pharming is a form of spear phishing attack that targets Domain Name Servers (DNS). Hackers redirect victims to malicious websites instead of the correct IP address. The hackers can then steal their personal data. They can also infect their device with malware when the victims land on the fake websites.

Signs of a spear phishing attacks

Companies that promote remote work are easy targets of spear phishing. So are e-commerce businesses, social media users, and Internet surfers. Businesses, big or small, are not immune from spear phisher attacks. But they can at least spot the symptoms of spear phishing to mitigate the consequences. Here are some of them:

Inconsistencies in email addresses and domain names

Sometimes, you may receive emails from familiar email addresses. But they look a little off. Try checking against previous communications if the email addresses match. Emails coming from co-workers should contain email addresses with your company’s domain name.

For example, johndoe@gmail.com is a personal email account. johndoes@companydomainname.com is a corporate email account. If the email doesn’t come from a business account, take precautions and don’t click.

A sense of urgency, persuasion, or threat

Spear phishing attacks contain urgent, persuasive, or threatening messages to convince victims into taking action. Spear phishers will send an urgent request that you need to act on immediately. Or that you are the beneficiary of some form of reward or benefit. Worse, they will warn you of negative consequences if you do not take action on their request.

Unsolicited request

You may receive marketing material you did not request. You may also receive a message that qualifies you for a prize in a raffle you did not join. Suspicious emails with unsolicited requests aim to bait you into downloading malware. They may also be tricks to tempt you into clicking on malicious links to capture your personal information .

Unusual request

Spear phishing messages contain unusual requests. For example, the scope of your work involves accounting and bookkeeping. Suddenly, you receive an email request from the IT team to install a program or a link to patch your PC. This is a red flag and you should not follow the request. Contact the IT team immediately to confirm if they really sent the instructions.

Request for credentials and other personal information

Many spear phishing communications contain malicious attachments that trap your personal information. Do not open or download. Unsuspecting email recipients may also click a link that directs them to a fake landing page with a login box. Do not click on the link. Spear phishers want your confidential data. You can check if the link is authentic by entering the URL from the source email in a new tab.

Attachments from unfamiliar sources

Attachments from unfamiliar sources are spear phishing techniques that lead you to suspicious websites or programs. More so if you did not request for those files. Inform your IT security department and let them virus-scan the files.

Other telltale signs of spear phishing

Other signs you should watch out for to avoid spear phishing attacks:

• Suspicious and unfamiliar messages
• Shortened links, think Bitly
• Copycat URLs that contain very subtle differences from the genuine ones
• Locked accounts
• Increased spam emails

How to prevent falling victim to spear phishing emails

For most organizations, email is the most important channel of communication. But it is also the most common attack vector for phishing. You can avoid spear phishing emails by implementing basic email best practices, such as the following:

Analyze your team’s email activity

Email has become an integral part of most organizational setups. Employees spend hours using it. How many work-related emails do they process every day? And how many personal email threads do they send and receive everyday? What types of company websites do they connect to? Are they safe or do they pose a threat?

You should analyze your team’s email activity to get an idea of how safe or risky your company is to spear phishing scams.

Encourage the use of strong email passwords

Most cyber criminals are good at guessing passwords. They use social engineering approaches to get them. A strong password uses a mix of uppercase letters, lowercase letters, and symbols. Also, the longer a password is, the stronger it is. Each new character in the chain multiplies the number of guesses a hacker has to make. It is also important to make sure that you are not using generic characters like “123456” or “wxyz”.

Do not use a single password for all your email accounts

Spear phishing attackers want your sensitive data. Using a single password for all your email accounts is risky. If a hacker can crack this single password, he or she may attempt to try it on your other email accounts. This can lead to compromising all your other accounts.

Change your email password regularly

Change your password as often as possible to make it hard for hackers to crack it and steal your sensitive data. After a password leak or data breach, change your password immediately. This way, hackers cannot access your account even if they have stolen the old one.

Never share your email password

Sharing your password even with friends or coworkers is not a good idea. And no reputable email company will ask for it directly. If they do, it is most certainly a scam.

Choose the devices and security software you use

Some companies issue devices with built-in security software to their employees. Others encourage them to use their personal devices for work. Employers should check if their personal devices have antivirus software and other security software. Using personal devices can pose a security threat to the corporate network. If you use an infected device to log in to your corporate email, you may compromise whole network.

Use two-factor authentication

Two-factor authentication offers an added layer of protection. It involves at least two authentication factors before you can access your account. It includes your password and a one-time passcode sent to your email or mobile device.

What to do after responding to a spear phishing email

In spear phishing, the human factor is the weakest link. If you have opened a malicious attachment or link by accident, you should immediately contact the IT security team. Here are the things to do after opening a spear phishing email:

Change credentials immediately

Hackers often use malware as a means to harvest personal information. This may include usernames and passwords. Immediately change your credentials. Give special attention to your personal and financial accounts. In other words, change passwords for all your online accounts.

Report the phishing incident to the IT security team

Report the incident to the IT security technical staff as soon as possible. It allows them to take action immediately and gather information about the attack. The IT team should inform other employees who might have received similar emails. They may also run a complete scan of the company system or clean your device or the system before resuming operation.

Circulate fraud alerts

If a phishing attack compromised your bank account, contact your bank as soon as possible. Request them to put an alert on your bank account. If your credit cards are compromised, inform your credit card companies. Let the major credit bureaus know what happened so they can set up alerts on your credit cards as well.

Backup your files

It is possible that files are not immediately erased after a spear phishing attack. You may still be able to save your work data. You can do this by using a separate device to store your data, such as a hard drive or the cloud.

Let the IT team investigate the phishing attack

When necessary, the IT team should block the compromised account while they investigate.  The investigation should find out the extent of the phishing attack. It should also assess its impact. The IT team must:

• Identify the phishing emails that users responded to
• Look for other possible emails from the same sender
• Determine who else in the organization may have received the same email
• Analyze the malware program introduced into the network
• Pull out the email and clean up the malware from the system

Examine accounts regularly

Accounts that have been “phished” before are especially vulnerable to future phishing attacks. So check for suspicious activities to avoid falling victim to future phishing attempts.

Educate and train the workforce

User education is key to a secure workforce. The training should include common spear phishing threats and the company policy on security. The team should also present internal simulations of phishing attacks. This will help employees spot phishing emails and know what to avoid.

IT should put in place email security techniques that block phishing emails like:

• Email filtering
• Spam filters
• Sandboxing
• Browser isolation
• Machine learning tools

Takeaway

Finally, “phishers” are becoming stealthier. They now use more sophisticated methods to achieve their goals. But there are also other ways companies can protect their networks. They must develop future phishing strategies and security policies to repel new threats.

Again, the human factor is a precarious link in the phishing cycle. Employees should know and understand the phishing risks they may face. More importantly, they should know how to address them. An informed workforce and protected system are key to a secure company network.