Reports are mounting in popular media of powerful spear-phishing attacks (like the year-long campaign against the oil & gas industry), which leave many wondering: what exactly is a spear-phishing attack? That basic question is a vital step towards cyber self-defense. Understanding what a spear-phishing attack is and how it works will help you recognize it and prevent its execution.In this article you’ll learn what is a spear phishing attack, how it differs from a phishing attack, how to recognize one, and how to stay safe.
Spear-Phishing vs. Phishing
Phishing attacks come in several varieties. The generic attack emails blasted out by the million into inboxes everywhere are the more traditional phishing emails. They leverage volume.But a spear-phishing attack is targeted and cunning. It is the handiwork of a determined threat actor with the time and resources to plan, design, and execute a well-crafted email attack targeted at specific individuals. Hackers like spear phishing because it is an effective way to bypass the sophisticated technical perimeters that protect systems and networks against exploits and malware. All it takes is one person to click one wrong thing, one time.Spear phishing attacks are becoming increasingly popular. Tools such as AI and machine learning are making the attacks more scalable. Such technologies help malicious actors quickly and easily locate more potential victims and create more convincing fraudulent messages from more well-disguised imposters.Spear-phishing is a type of phishing attack that is highly targeted against a single individual. The content of the attack email is crafted to appear personal and believable. It won’t raise immediate red flags. Spear-phishing requires more effort than a regular run-of-the-mill phish, but it is also more effective. When regular phishing emails get detected by the company´s employees, the attacker will focus on spear-phishing and will be more likely to succeed in getting what they are after.Even state-sponsored threat actors are hacking high profile individuals, private organizations, and critical industrial systems. APT (Advanced Persistent Threat) groups might have the know-how and financial support, but because complex exploits are expensive, hard to come by, and not as reliable as email, spear phishing is the next best thing. Spear-phishing is also a perfect method to gain a foothold into a company´s network and creep around unnoticed because a high-quality spear-phishing attack is extremely hard to detect.
As a social engineer, I have had the privilege to legally conduct spear-phishing attacks against large, well-known organizations as well as companies managing critical industrial systems. The most successful campaigns have usually started from a single piece of media that our customer had published online. They were unaware that the news, interview, job listing, marketing video, or a simple photo on company premises might also contain information that could be used in a malicious way. From that small piece of information, I have been able to gather or guess some intimate social practices or information that the company´s employees might think is only available to current team members.I could pose as a high-profile employee with an email mimicking the way an internal email is written. The email would contain important intimate information about current events to increase the likelihood of a high number of people clicking the possibly malicious link or opening an attachment that could have been malware.One colleague of mine recently wrote about spear-phishing attack that got within one last-minute verification call from losing $2 million. While the attacker’s planning could have taken weeks, the email exchange itself took only 6 hours. Think about that. In six hours, the attacker nearly walked away with $2 million.
Another colleague reported on the rise of highly sophisticated form of spearphishing that targets CEOs, or others in executive management. It’s called different things by different people-- Business Email Compromise (BEC) and CEO fraud, amongst others. But whatever the name, the cyberattack uses a sophisticated series of steps to ultimately trick someone into providing valuable information or moving money directly into the scammer’s bank account. Threat attackers bilked the town of Peterborough of millions using this tactic, deceiving the finance department with fake forms into sending regular payments to scam overseas accounts.
Detecting spear-phishing emails is a lot like detecting regular phishing emails. The same basic principles apply to both types of attacks, although spear-phishing might use more sophisticated methods to spoof the sender, hide the actual domain in a link, or obscure the payload in an attachment.
- Check the Sender & Domain
You should always check the sender’s address and validate that the email is coming from a real domain. But remember that there are other ways to verify whether the email is legitimate. In some cases, the domain could be real, but the email could still be coming from an attacker. These cases include improperly configured email servers or if the attacker has access to a legit trusted email (EC, email compromise).
- Hover over Links
Always check where links in an email will take you by hovering over them without clicking to reveal the full URL address. This also shouldn’t be your only method. There are many ways bad actors use to make it hard or even impossible for you to detect if the link is legit or not. The attackers could try to fool you with subdomains, URL shorteners, homoglyphs, open redirects, look-alike domains or even exploiting flaws in browsers and email clients.
- Read & Verify
Read the email content with care. If it is from someone you have been sending emails with before, see if the style and tone are familiar. If the email has a signature, check that the signatures match. When the email asks you to visit a link, open an attachment, disclose information, or take an action, contact the sender via a different channel and ask if the email is really from them.Most importantly, treat every email as a potential phishing attack.Organizations have rightfully become concerned about spear-phishing attacks, because the threat is real and no one is immune. We believe heightened vigilance has made spear-phishing success harder for social engineers. Our customers are becoming more aware as they learn to detect and report all kinds of phishing emails. Security awareness training and behavior change are currently the most effective ways to mitigate the threat of spear-phishing attacks.