Try demo

Big money spear phish campaign on the loose

How a spear phisher skewers victims

Here’s a major spear phishing campaign we’ve seen resurface after first making the rounds in early 2020. It’s targeting people around the globe and in a plethora of languages.

Spear phishing is an email scam that’s targeted at a specific person or business. As you’ll see, they can be very effective and deceptive.

The initial email of this campaign is well crafted. Its first-name greeting makes the email feel more personal and legitimate. The lawyer mentioned has been carefully selected. He’s a very public figure, so a basic Google ID check will turn up many results and create a sense of legitimacy. This lawyer works in a large, easily recognizable law firm, which further establishes a sense of trustworthiness. The email is signed by a colleague of the victim, and the final touch, “Sent from my phone,” is added to make it seem less suspicious that the email originates from an external email address.


Email 1: Spear phisher posing as colleague


The hook is now in the water. Replying to this email initiates a dynamic discussion based on the reply. The second email sent by the malicious actor explains the situation further.


Email 2: spear phisher posing as colleague


Note the flexibility the malicious actor is expressing by asking for the best way to complete the transfer, leaving room for varying company policies.

Now let’s take a real case that progressed worryingly far. The victim is now replying to the second message. In this case it happens to be a new employee, which might boost the scam’s potential for success.


The spear phishing trip


Victim response to email 2


Spear phisher’s first response to victim establishes deadline urgency and financial stakes
Victim’s response
Spear phisher dials up the deadline urgency
Victim’s response
The spear is thrown


Close call

This whole conversation happened in under six hours. The last email sent by the malicious actor was delivered at 3:06 PM, leaving the victim under an hour to complete the transaction. The victim finally realized something was fishy and, fortunately, reported the email instead of following through with the transfer.

Think about that for a second. The malicious actor got within an inch of walking away with a couple million dollars in stolen funds, armed with only some background reconnaissance, a well-thought-out story, and a couple hours of work.

In other iterations of this campaign, depending on how the conversation has progressed, we’ve seen malicious attachments as well as contact information of coworkers in specific roles and other confidential company information being shared. This shows just how dangerous a spear phishing campaign can be.

Steering clear of these types of impersonation attacks is actually quite simple. If an email originates from an external domain but tries to make you believe it comes from a colleague, always contact the person via some other communications channel to verify. One additional phone call or text message surely is better than losing millions of company funds.

Hoxhunt response

The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button.