Spear Phishing – What It Is And How To Prevent It

While the term spear phishing might be an amusing play on words, there is nothing funny about falling victim to it. This type of cyber attack is on the rise and becoming increasingly sophisticated. It is a highly targeted form of social engineering attack, manipulating the recipient's emotional response – for instance, to give away sensitive information.

What is spear phishing?

Spear phishing is a subset of phishing. It is a form of cyber attack where the hackers pinpoint a particular individual to target or sometimes a small group of people in an organisation. The spear phishers will research the individual from such sources as social media, the company website, or previous data breaches.

Once they have gained enough knowledge about the victim, they will send an email to deceive the recipient into sharing sensitive information or download an attachment that installs malware. The email will appear to be from a trusted and known person, and the request in the message will seem valid and convincing.

Due to the sophistication of such an attack, they can be difficult to detect and prevent. However, certain characteristics of spear-phishing attacks can be detected, and security measures can be put in place to help avoid falling victim to them.

What is the difference between spear phishing and regular phishing attacks?

Typically phishing attacks use email or text messages where the message will appear to be from a trusted source, asking the recipient to click on a link or download an attachment. The hacker's goal is to install malware on the victim's machine or steal personal information for fraudulent gain.

If we use the 'fishing' analogy, regular phishing would be akin to casting a broad net off a boat and aiming to catch as many fish as possible, while spear phish would be to fish with a spear gun specifically targeting one fish.

Regular phishing or 'bulk phishing' is a question of numbers. The attack will target as many people as possible with the chance that a few might take action and click on the link or attachment. These bulk phishing attacks don't use the recipient's name and tend to be less sophisticated than spear phishing attacks. Regular phishing messages typically masquerade as a well-known brand or company such as PayPal, while spear-phishing emails are often sent from someone pretending to be an individual that the targeted recipient knows.

What is the difference between whaling and spear phishing?

In essence, a spear-phishing and whaling attack is the same. The only difference is that the targeted recipient is of higher importance, such as a senior executive, attorney, or even a politician or celebrity, hence the term whale phishing, a bigger fish being speared. Typically a whaling attack is used to steal sensitive information or money from a company. As senior management is likely to have access to financial information, company passwords, logins, and other sensitive data, it makes them an ideal target for these types of cyber-attacks.

Due to the high potential pay-off, a whaling attack tends to be even more elaborate than spear phishing. Preparing for a whaling attack can take months of preparation to ensure that it is as plausible as possible.

Before the attack is initiated, the cyber-criminals will gather as much information as possible about the victim. They will scour social media profiles such as Facebook and LinkedIn, as well as business directories and corporate databases. Whalers will also gain information regarding the target company, such as work colleagues' names and job titles.

Once all the personal data about the recipient has been gathered, a well-crafted and highly personalised email will be sent asking them to take urgent and immediate action on a specific business matter. An example would be an individual with the financial authority to send wire transfers might be asked to transfer a large sum of money by the CEO.

As reported by the FBI, over a two-year period, up to 7,000 businesses in the United States have fallen victim to whaling campaigns, which they call BEC (Business Email Compromise), resulting in losses of around $740M.

Anatomy of a spear phishing attack

How a spear-phishing attack is carried out typically follows a set pattern.

The spear phisher will decide on the end goal: procuring sensitive information, identity theft, or industrial sabotage. It could be a precursor to building a more elaborate attack at a future date.

The next stage is researching the target victim. Many businesses provide a plethora of information about their enterprise's structure, hierarchy, and staff online. Combined with social media profiles such as Facebook and LinkedIn, offering up personal details, an experienced researcher can find a multitude of information to use for a spear-phishing attack.

The attack is now implemented with a well-crafted email sent to the recipient that, at first glance, could appear to be a genuine message from the sender, duping the recipient into clicking on a malicious link or attachment. The link will often take them to a fake website that looks authentic, but they will be sharing their details with the hacker when they log in.

If successful, the spear phisher can now use the attack to exploit the sensitive data, deploying malware, or simply causing general disruption.

Tools used in spear phishing attacks

A spear-phishing campaign doesn't need specific tools or software to be successful. A free Gmail address and a well-crafted and researched email targeting the recipient's emotional response is all that is required to attain the outcome required by the hacker. However, more complex spear-phishing attacks utilise domain hijacking, typosquatting, and automated personalisation phishing kits from the dark web.

Examples of spear phishing attacks

While many people swear that they wouldn't be so gullible as to fall for any sort of phishing attack, the statistics show otherwise. 64% of organisations admit to having experienced a phishing attack and 71.4% of malicious targeted attacks were involving the use of spear phishing emails.

Here are a few examples of spear-phishing attacks that made the news.

One of the prominent examples in recent times was in July 2020, when 130 Twitter accounts were hijacked and used to orchestrate a Bitcoin scam. The accounts belonged to high-profile celebrities, business leaders, and politicians, including Elon Musk, Bill Gates, Jeff Bezos, Joe Biden, and Barack Obama. Twitter claims that a small number of its employees were targeted by way of a phone spear-phishing attack.

Twitter officials explained that the attack misled certain employees and exploited human vulnerabilities resulting in the attackers being able to use their credentials to access internal systems. The spear-phishing campaign was successful, with the attackers receiving 12.86 BTC, the equivalent of $117,000. While the sum wasn't huge, it does highlight how even the most prominent companies can be susceptible to this kind of cyber-attack.

Another much-publicised data breach was a phishing attack on health insurance company Anthem when five employees downloaded keystroke logging software after opening a malicious email. The result was over 35 million customers having their private data stolen.

One of the most significant political spear phishing attacks was carried out by Fancy Bear, a Russian Cyber-espionage group. This attack was responsible for the hacking of email addresses associated with the Democratic National Committee in 2016. This resulted in over 20,000 pages of former White House chief of staff John Podesta's emails being published by Wikileaks.

The spear-phishing attack was from a fake Google account, asking him to change his password as someone had tried to access his account. The link took him to a spoofed web page resulting in him giving his password to Fancy Bear; the rest is history.

Detecting and preventing spear phishing attacks

Our emotions govern us, and spear-phishing attacks manipulate them; it is natural for us to want to help out a friend or work colleague who needs something done fast or comply with the boss's instructions without question. Spear Phishing attacks are designed to lower our guard and rush us into making poor decisions, understanding this is half the battle to prevention.

Awareness and scepticism are two keys to preventing a spear-phishing attack. Often there will be small clues that there is something not quite right about the email. When an email is spoofed to imitate a person you trust, if you inspect it more closely, you might notice typographical errors; an example would be johnsmith@domain.com as the genuine email address and john.smith@d0main.com as the fake. You might notice that the email's tone is off, or notice grammar and domain errors that might flag that something is not quite right.

Social engineering will be used to instil a sense of immediacy, taking advantage of the recipient's natural instincts to help out a colleague. Don't instantly agree to the request, reply to the email, ask questions, or even better, get on the phone to them and speak in person.

Be mindful of your online presence and check your social media privacy settings. The more information that a spear phisher can find about you through social media and other sites, the easier it will be for them to psychologically manipulate you with the knowledge gained.

It is all about active education and putting systems in place to increase awareness and anticipate potential phishing attacks for organisations.

Security training for staff should be implemented, and all phishing emails reported. Proactive measures can be put in place, such as 2-factor authentication and ensuring that antivirus and malware protection is installed and up to date. If your business is vigilant to the threat of spear-phishing, then it won't present a soft target.

In conclusion

It just takes one successful spear-phishing email to cause massive damage to a business. Employees should be educated on how to deal with suspicious emails and the preventive measures checked to mitigate the chance of falling victim to a phishing scam.