Spear phishing: What is it and how to prevent it
Estimated reading time: 11 minutes
If you have read our posts related to social ingineering ploys (phishing, smishing, whaling and vishing), you already know that many kinds of scams are derived from phishing. But it’s important to learn about the most prevalent one, spear phishing. Unfortunaltely, this kind of fraud is also the most dangerous for businesses.
Table of contents
- What is spear phishing?
- What’s the difference between phishing and spear phishing?
- Who can be targeted?
- How to detect this kind of fraud?
- How to prevent spear phishing?
What is spear phishing?
Spear phishing is a specific kind of phishing where the victim is targeted and deceived by using accurate personal information gathered beforehand. For example, the hacker can use your public data obtained from your social media accounts to convince you their message is authentic.
Let’s say you’ve just bought a house and posted the news on Facebook. Thanks to one of your comments on LinkedIn, the hacker discovers your banker’s name and agency. From there, he just needs to create a seemingly trustworthy email address using those informations and here it is ! He can then request you to transfer some money to a specific account pretending you must do it in regard of your mortgage. If you are not careful enough, this is how you’ll get scammed.
Sometimes, the authors of this kind of scam can be sponsored by a government. They can also be hacktivists, or cybercriminals looking for sensitive information to sell to governments or competitors.
What’s the difference between phishing and spear phishing?
As you could expect given its name, spear phishing is actually a kind of phishing. “Phishing” encompasses all kinds of cyber attacks aiming to collect sensitive informations (credit card number, passwords, social security number…) through deceiving, theft of identity or impersonification.
What does a phishing attack look like?
Phishing attacks are typically launched on a broad scale. They target a vast number of potential victims and are not tailored to them. In most of the cases, all these people are hit at the same time with a spoof email pretending to be sent by an authentic organization.
You’ve likely already been exposed to this kind of scam. We all have received one of these emails allegedly sent by a person resquesting help to move a huge amount of money (typically many dozens of millions of dollars) blocked in a Nigerian bank and offering a significant percentage of this fortune in exchange of our collaboration. Very often, it implies sharing our personal or banking information… Most of the times, these scams originate from Nigeria, which explains why they are called Nigerian Letters or “419” Frauds (419 being the section of the Nigerian criminal code prohibiting this crime).
The perpetrators of these phishing attacks don’t make a lot of efforts to make their message credible. Frequently, their email is somehow gross (spelling mistakes, language errors, cultural hiatus) and the scam is blatant. They simply bet that among the number of people who will receive it, someone will be naive enough to click on the link provided, or send the personal information requested.
What’s the difference with a spear phishing attack?
The main difference between phishing and spear-phishing is that in the latter, the hackers target a specific victim, and not a mass of people at the same time.
In a large proportion of such attacks, the victims are executives or employees who hold positions that give them access to certain hardware, software or privileges in the organisation where they work. But they may also be people who have published some exploitable information for scammers (as in our example of the purchase of a house).
Before contacting them, the hackers will have researched them to learn as much as possible about the organisation they work for, the position they hold, how they are called (e.g. use of nicknames), the name of their manager or CEO, the name of a bank where their organisation has an account, etc.
This information is then used to craft a message simulating a genuine email from that organisation, or from another entity with which it is in contact. The scammers will make sure to render it as credible as possible. They will add details that will reinforce the illusion (very similar email addresses, names of real officials, copy of logo, copy of mentions usually included in the emails of this organisation) so that the message seems legitimate to win the trust of its recipient.
They can include an URL to invite the recipient to visit a fake website he may have previously created to collect the sensitive information requested (passwords, social security number, bank account or credit card numbers, etc.). In some cases, they will have taken care to generate traffic to this spoof website to validate the domain name and fool the organisation anti-virus software.
Other times, they may pretend to be a friend, claiming to be in distress and needing a sum of money, or asking for access to specific pictures posted on social networks.
A third form of spear phishing uses an attachment simulating an invoice, or a document of some kind (pdf, Word or Excel file) secretly containing a malicious software, a macro or a piece of code (e.g. a keylogger). It could also be a ransomware, a software that can block the organisation’s computer system, forcing it to pay a ransom to unlock it.
The hackers will frequently explain that their request for sensitive information is urgent. They will tell the victims they need to change a password which is about to expire, or to take notice of changes in a delivery described in an attached document, for example.
They may also impersonate a senior member of the organisation (typically the CEO, or a manager involved in payment transactions, for example) asking for an urgent transfer to a new supplier. Sometimes, this urgency will be combined with the need to maintain strict confidentiality or to breach particular procedures, such as obtaining a manager’s approval.
Finally, they may also play on emotions and try to use empathy to get their victim to obey.
All these stratagems aim at obtaining a quick move from the target, to avoid him/her thinking too much…
When they succeed in their goal, the scammers will impersonate their victims thanks to the personal data to carry out specific operations (money transfer, theft of personal data, theft of intellectual property, unwanted publication of heinous messages on their behalf, etc.). In other cases, they will get their targets to click on a link to trigger the download of a malicious software without their knowledge. Or they’ll get a money transfer or a specific action from their victim.
Who can be targeted?
Any employee of an organization can be targeted in a spear-phishing attack. However, some of these scams target more specifically high-level executives. They are called “whaling attacks“. Most of them impersonate the CEO or another senior member within the organisation to impose an unquestionable order on the victim.
Remarkably, studies suggest executives are more likely to be targeted, but also more prone to be fooled than other staff members. That’s because they are often very busy and lack of the time needed to dedicate a critical attention to their emails. Sometimes, they also underestimate the threat.
On the other side, it is more rewarding for a hacker to pick them, because of their higher access and authority.
It’s also worth mentioning that these cyber attacks are also frequently launched against employees or executives working in processes involving payments, such as payroll or invoicing.
Finally, note that even individuals can fall victim to this form of scam: a hacker may pose as one of your friends and invite you to click on a nice website or video… hiding a ransomware that could lock your smartphone.
How to detect this kind of fraud?
Most of the time, spear phishing emails are very well imitated, which is why it’s very difficult to detect the malicious sheme. Even the tools used to detect preventively this form of scam emails within the organisations can fail to identify spear phishing attacks messages.
This is also the reason why they have become commonplace (it’s estimated that they now account for 91% of all cyber attacks), and why they do so much damage.
Some advice to help you spot a spear-phishing email
- Always double check every piece of information, especially the sender’s details. You may only see the sender’s name but pay attention to the email address as well. It is very unlikely that your banker will send you an email from a “firstname.lastname@example.org” kind of address. Check cautiously the email address provided, even if it seems to come from a trusted organisation. Look for a digit 0 typed in place of an “o”, or for a Russian “ш” spoofing a “w”.
- Does any detail seem different from usual? Watch out for differences in format. Is the signature different, even slightly? The email is full of spelling mistakes, which is never the case with that specific person ? The way it’s addressing to you is not familiar? All those details are red flags inviting you to be suspicious. Some specific characteristics may not be known by hackers and that’s where you can spot spear phishing.
- Just like you double check the email address, check any link sent to you. The actual URL is not the same than the link you are asked to click on? It might be something to worry about.
- Also, pay attention to the wording and the jargon. An unusual mention or expression never heard within your organisation should make you suspicious. Check as well the polite phrases and greetings at the end of the message. Is it usually “Thanks”, or “Best regards”, or something else?
- Finally, if a click on an attached file triggers the opening of a window indicating that it contains a macro, beware!
- When in doubt, never hesitate to confirm the content of an email over the phone. A quick call might save you a lot of trouble! Better safe than sorry.
How to prevent spear phishing?
Hackers can use several tricks to obtain information about their victims. For example, they can use out-of-the-office messages to find out what an organisation’s staff members emails look like. Others will use social media and other publicly available sources to gather information.
Some advice to help you prevent these attacks
Beside being careful, you have other options to prevent spear phishing. Hackers might be subtle but being scammed is not a fatality and you can actually protect yourself and your personal data by taking the following steps :
- Keep in mind that any piece of information (name, picture, …) posted on social media can be used maliciously. When possible, make your accounts private and avoid publishing too much information about your responsabilities, suppliers, clients, processes or operational aspects of your business in your LinkedIn profiles.
- Avoid publishing too much information about your staff in your website as well. Don’t provide their email, use a form instead to invite visitors requesting for informations.
- Pay attention to the job advertisements published by your organisation to fill positions in the IT department. Make sure they are never too specific when mentioning details about the software and cybersecurity systems used by your organisation.
- Look out for these information on Internet too, and suppress them when possible.
- Always use a hosted email security system and an antispam protection to stop any harmful email.
- In any case, never send sensitive information like credentials and passwords to anyone. When some attachments are sent to you, scan them with your anti-virus before opening them.
- Keep all your software constantly updated to avoid any abuse of a security breach.
- Knowledge and awareness are keys. Keep yourself informed about the latest phishing trends.
- Organisations need to train their staff and organise spear phishing attacks simulations. This way they can develop awareness of this threat and identify which employees are more vulnerable to these kinds of scam.
- Train your staff to report any suspect email to the IT department, and to avoid clicking on any URL in emails. They should instead connect directly to the genuine website.
- Beware of unusual and unexpected emails, especially if they claim to be urgent.
- If your organisation has good skills in its IT department, it may be worth asking them to mark all external emails so that they are easily distinguished from internal emails.
- Establish strict rules concerning the use of passwords. Forbid your staff to reuse a password, or to use passwords that are too easy to crack.
- Establish payment processes involving many executive approvals.
- Avoid any “BYOD” policy and the use of external softwares, platforms or applications not expressly allowed by your IT department.
- Prevention matters as well, especially for more fragile possible targets like elder or younger users. If someone around you can be an easy target, warn them about spear phishing. If you can, try to keep an eye on their email boxes.
- Inform your staff, your friends and family members about the risks incurred when sharing personal data on social media.
- Some tools have been specifically created in order to prevent phishing. Here is a selection you can use in order to control any URL before clicking on it : Where Goes, Redirect Detective and Redirect Check.
- And last, but not least : use a secure email provider like Mailfence to guarantee email security and privacy.
Preventing spear phishing is key to keep your personal data safe. If you don’t take some minimal steps to avoid this scenario, you might expect your email to be hacked. Read our advices to know what to do in this case, and contact us if you have any question about security and privacy.
Check out this article on how to avoid social engineering schemes.
Mailfence is a suite of integrated collaboration tools with a lot of features to protect your personal data. If you already have an account, you know all about it. If not, what are you waiting for ? Open a free account now.
– Mailfence Team
Patrick is the co-founder of Mailfence. He’s been a serial entrepreneur and startup investor since 1994 and launched several pioneering internet companies such as Allmansland, IP Netvertising or Express.be. He is a strong believer and advocate of encryption and privacy. You can follow @pdeschutter on Twitter and LinkedIn.