Spear phishing is a serious threat to organisations worldwide, but this highly targeted phishing can be hard to prevent.
A report from security firm Ivanti highlights the success rate of spear phishing: almost three quarters (73%) of organisations told Ivanti that IT staff are targeted by spear phishing, and nearly half of the attempts (47%) are successful.
What Is Spear Phishing?
Spear phishing is a highly targeted form of phishing. A phishing campaign typically sends out a mass email to many people, but spear phishing campaigns focus on one or a few individuals; these individuals usually work for or are associated with a specific organisation.
Spear phishing often arrives in email but could also be phone phishing (Vishing) or mobile message phishing (SMShing).
Spear phishing uses advanced social engineering tactics to craft an effective spear phishing campaign based on gathered intelligence about a target. The information required to perfect a spear phishing email is collected using any means, including social media posts, company websites, hacked online accounts, etc.
Cybercriminals have even been known to strike up a relationship with their target via email or phone, gaining the employee’s trust and encouraging them to share personal or company details. Once the cybercriminal has enough information on a target, they create a personalised email that looks legitimate.
The goal of a spear phishing attempt is typically to steal login credentials. These credentials can then be used to gain access to a corporate network. The result of an employee’s social engineering is a malware infection, including ransomware, data theft, Business Email Compromise (BEC), and other forms of cyber attack.
While using multi-factor authentication (MFA) can help reduce the risk of an attack, it is no guarantee: a recent phishing campaign targeting Office 365 users was able to circumvent any MFA used by employees.
How Cybercriminals Use Spear Phishing Attacks
Cybercriminals use spear phishing to focus an attack on a specific company. These campaigns may target directly (an employee) or indirectly, i.e., focus on a supply chain vendor to attack an organisation higher up the supply chain.
Often, spear phishing attacks are part of a cycle of attacks where data, including passwords, are stolen; this leads to malware infection, further credential theft and stolen data. The process begins with an email, Vishing or SMShing. Spear phishing often involves high-level strategic planning, which may require several choreographed steps to achieve the hacker’s goal.
Examples of Spear Phishing Attacks
Spear Vishing: a spear phishing attack on Twitter in 2020 made the headlines when hackers managed to send tweets from several high-profile accounts, including Joe Biden, Barack Obama, Bill Gates, and Elon Musk. The Twitter attack centred around a phishing phone call (Vishing) to targeted employees until one of them gave the attackers the login credentials to in-house tools. These credentials were then used to escalate privileges to a higher level.
Spear phishing email: a spear phishing email impersonated the US Department of Labor (DoL) to target multiple organisations. The goal of the spoof email was to steal Office 365 login credentials. The email was based on cleverly disguised domains to make the email look like it was legitimately from the DoL.
In addition, the email pretended to be from a senior DoL employee inviting the recipient organisation to submit a bid for a government project. Clicking the “bid button” took the employee to a phishing site where Office 365 login credentials were then stolen.
How to Spot a Spear Phishing Email
These emails are notoriously difficult to spot simply because so much work has gone into their creation. However, there are some points to check that can help employees identify tell-tale signs.
- Often, spear phishing emails leverage positions of authority, e.g., IT support, to force an action by an employee, e.g., to enter a password into a spoof web page. Check the sender’s email address. It may look like the real one, but with some subtle differences.
- Does the email format match what you are used to? For example, if the email is supposedly from IT support, does the way it is written and formatted reflect previous emails from IT support?
- Does the email require the entry of too much data or information that seems unnecessary? For example, are you being asked to log in to a company cloud app after clicking a link in an email for no compelling reason – does it just seem suspicious?
Another low-tech thing that you can do to help prevent a spear phishing incident is to double-check with the supposed sender of the email: give them a call to check that the email really is from them.
Protecting Yourself from an Attack
Layers of protection are the best way to deal with the threat of spear phishing. Here are the top six ways to protect yourself and your company from an attack:
Don’t Overshare on Social Media
Cybercriminals gather the intelligence needed to create believable emails from many sources, including social media. So put a policy in place that explains the dangers of oversharing data on social media.
Don’t Click on Suspicious Links within Phishing Emails
This should become the mantra of all workplaces. Even if an employee does not follow through by entering credentials after clicking a malicious link, the hacker will likely have an audit of who has clicked and will continue to send out ever more sophisticated phishing emails to that organisation.
Use Robust Authentication
While it is not failproof, having robust authentication does help in a layered approach to phishing. Create strong, unique passwords and add in MFA where supported.
Never Share Sensitive Information Online
It goes without saying that sharing sensitive personal or corporate information should not be done publicly and online as it will be gathered and used to phish employees or associated supply chain vendors.
Be Cautious and Vigilant
Train all members of staff and associates on the tactics used by cybercriminals. Ensure that this training is performed regularly and use a simulated phishing platform to send out simulated phishing messages to employees most at risk.
Encourage Employees to Report Incidents
Once you have trained staff in ways to spot the tell-tale signs of phishing, encourage employees to report incidents. This helps to build cyber-resilience, maintain regulatory compliance, and offers the information needed to act quickly before an incident becomes a full-blown cyber attack.