Spear phishing
What is Spear phishing?
Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and what they have recently bought online.
Spear phishing is the act of sending and emails to specific and well-researched targets while purporting to be a trusted sender. The aim is to either infect devices with malware or convince victims to hand over information or money.
The main aim of a spear-phishing attack is either to obtain unauthorized access to sensitive data, whether this is intellectual property, financial data, trade, or military intelligence, or to get the recipient of the email to act on a command, whether this is to transfer money or share confidential data.
HOW DOES SPEAR-PHISHING WORK?
Spear-phishing works by targeting a specific individual or organization.
Attackers collect information from social media about potential targets, including their personal and professional relationships and other personal details. The attacker uses this information to craft a personalized message that looks and sounds authentic to convince the target to respond to the sender’s request. The sender may request that the user reply directly to the email or the message may include a malicious link or attachment that installs malware on the target's device or directs the target to a malicious website that is set up to trick them into giving sensitive information like passwords, account information or credit card information.
To increase success rates these messages often contain urgent explanations on why they need sensitive information. Victims are asked to open a malicious attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes. An attacker posing as a friend might ask for usernames and passwords for various websites, such as Facebook so that they would be able to access posted photos. In reality, the attackers will use that password or variations of it to access different websites that have confidential information such as credit card details or Social Security Numbers. Once criminals have gathered enough sensitive information they can access bank accounts or even create a new identity using their victim’s information. Spear-phishing can also trick people into downloading malware or malicious codes after people click on links or open attachments provided in messages.
The payload of a spear-phishing attack can be conventional malware, spyware or ransomware. But hackers also use the technique to extract confidential and commercially sensitive information such as personnel records, intellectual property or financial information.
A further driver for attacks is to gain access to IT systems and privilege escalation.
Attackers frequently target systems administrators and other professionals in order to gain the passwords and credentials to break into other systems.
Hackers might use something as simple as a spoof website to harvest victims’ user names and passwords.
Types of Spear Phishing Attacks:
- Business Email Compromise (BEC): This is also known as CEO fraud, whaling, and wire transfer fraud. In a BEC attack, criminals impersonate an employee usually an executive or manager within the organization. Using convincing details and giving plausible reasons they instruct their targets who are often employees with access to company finances or personal information to wire money or to send sensitive data such as financial information about customers, employees, or partners. These attacks utilize social engineering and compromised accounts and they typically include no malicious attachments or links.
- Impersonation: This includes a large number of spear-phishing attacks that impersonate a trusted entity such as a well-known company or a commonly used business app such as Office 365, Gmail, or DocuSign. They may also impersonate a trusted colleague or business partner. These attacks typically try to get recipients to give up account credentials or click on malicious links. They can use that access to steal confidential data, conduct financial fraud using your account, or launch a more targeted attack within your organization.
How to Prevent Spear Phishing:
To prevent spear phishing scams, employees need to be aware of the threats such as the possibility of bogus emails landing in their inbox. Never clicking links in emails is an ironclad rule to preventing much of the damage phishing type attacks can create. That said, since spear phishing is a more sophisticated version of a plain old phishing attack, organizations will need to ensure their policies reference these more advanced tactics and implement stronger solutions to help educate employees to defend accordingly.
- Limit the amount of personal information you share on social media and other websites.
- Do not click on links in emails. Identify suspicious links by hovering your cursor over them to ensure that the URL matches the link’s anchor text and the email’s stated destination.
- Contact the associate friend or business purporting to send the message to confirm the request.
- Remind employees to always be wary of emails with unsolicited attachments and links at all times and send reminders of spear-phishing dangers especially around sensitive events or times of year.
- Deploy threat intelligence solutions that use open source and commercial threat intelligence feeds to track and block actively in use phishing and spear phishing campaign links in real-time.
- Implement phishing awareness training programs to keep good security practices against spear-phishing top of mind for employees all year round.
- Enable your employees to report suspected phishing messages so that your team can stop spear-phishing campaigns currently underway against your organization.
- Have smart passwords: Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords they effectively have access to all of your accounts. Every password that you have should be different from the rest passwords with random phrases, numbers and letters are the most secure.
- Frequently update your software: If your software provider notifies you that there is a new update do it right away. The majority of software systems include security software updates that should help to protect you from common attacks. Where possible enable automatic software updates.
- Do not click links in emails: If an organization such as your bank sends you a link launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination there is a good chance that it could be malicious. Many spear phishing attackers will try to obfuscate link destinations by using anchor text that looks like a legitimate URL.
- Use logic when opening emails: If you get an email from a “friend” asking for personal information including your password carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email or visit the business’ official website to see if they were the party who actually contacted you.
