What is a Spear Phishing attack?
How do companies protect themselves from a spear phishing attack?
What is Spear Phishing?
Spear phishing is a special form of cyber attack with extremely malicious intent that is derived from traditional phishing attacks. In a conventional phishing attack, the target persons fall randomly into the attacker’s grid. In a spear phishing attack, the victim is spied on in a targeted manner over weeks or months. During this period, habits and preferences are learned. This is used to create a personal dossier. Based on this carefully collected data, tailor-made email or phishing attacks are implemented. These are always personal.
In this form of attack, cyber criminals pretend to be online retailers, banking institutions, family members, acquaintances or even partners. The e-mails are usually designed in such a way that even the sender’s address and the content appear deceptively real at first glance. The attacker’s attempt to outsmart the potentially gullible target person is the focus here. After all, the cybercriminal wants to get sensitive personal information, so he can be very targeted in this type of attack. It is not uncommon for such spying to steal access data for bank accounts or online accounts.
The risk of spear phishing attacks arises in particular for companies that are increasingly affected by corporate or industrial espionage. Here professional hackers select an employee in a targeted manner. When gathering information, not only general phishing measures are used but also an individualized attack, tailored to the respective victim.
Spear Phishing Attacks: A familiar form of attack in a new disguise
These attacks represent a serious danger because they leverage in-depth knowledge about the personality of the targeted victim. Unlike conventional phishing email attacks, people who usually treat fake emails with a healthy degree of skepticism are actually targeted.
This means spear phishing e-mails are much more effective at establishing trust. Above all, the good faith of the recipient is exploited because they are made to believe they are safe – for example due to apparently known sender addresses or the reputation of the company named in the email.
The attacker has now taken the first step. With this successful deception, the cybercriminal can now continue the spear phishing attack on the next level. The unsuspecting victim will only discover the ruse much later, when it is usually too late to react.
This is how a spear phishing attack works in practice
After the victim has received a deceptive e-mail, attempts are made to get them to download from a link, for example, that installs carefully concealed malware. Or sometimes the victim is forwarded by a link to a fake website, where their personal data is gathered via a form.
In the last few years, it has increasingly been observed that spear phishing is no longer limited to communicating via e-mail. Social channels are also being used for this form of attack. Once the link or malware has been planted on the potential victim’s computer, the cybercriminal can simply sit back and wait.
The Targets of Spear Phishing
In most cases, this is just the first step. After all, the ultimate goal of the attacker is to infiltrate the company’s IT infrastructure. Spear phishing is simply the most-suitable form of attack to get them access. A search on the company website is sufficient to find out corresponding personal data, but also contact details of relatives in the company.
Attackers usually find out about the target person in advance. First name, last name, date of birth, place of residence, street, hobbies as well as information about family members, friends and business partners can be easily researched on the Internet. There are countless publicly accessible databases for this purpose. Most of the time, the users themselves ensure that their profile information is freely visible to third parties. This applies in particular on social media.
The attacker also learns information like the preferences and habits of the target person, for example, by seeing what online purchases they made at what time on eBay or Amazon. Even tracking movement patterns is no longer a major challenge for cyber criminals. With GPS, many users of so-called tracking services even help an attacker find out exactly where that user is and when and how long they are staying.
Digital Sources for Spear Phishing
But that’s not all. Attackers also look for reviews on travel portal pages. Online hotel guest books can also give a very detailed overview of a person’s financial background. In this way, specific conclusions can be drawn quickly about interrelationships among business and private areas. However, this is only a digital search for information.
The spear phishing attack in general is based on very different types of attacks. In the preparation phase, they are often similar to social engineering attacks, or “social hacking,” because the attacker uses information gathered about the target person to tailor the spear phishing attack and increase its effectiveness.
In any case, employees who freely disclose personal data increase the risk of being affected by a spear phishing attack. Because those in the company who handle their data carelessly are ideal targets, spear phishers specific look for employees with such vulnerabilities.
The Immediate Environment of the Spear Phishing Victim
When it comes to finding ever more detailed information, cyber criminals are always clever. For this reason, the immediate vicinity of the potential victim is often targeted in a spear phishing attack. Accordingly, it is not uncommon for sensitive documents to be intercepted either directly from the paper waste of companies or even from employees homes.
Once the attacker has all the information they need, they proceed with the spear phishing attack. In the next phase, an individual or several employees receive emails in which they are requested, for example, to confirm certain information. This stage also includes an blurring of the line towards CEO fraud, as the e-mails are usually falsified with sender addresses from authorities.
Attached files that are used in everyday company e-mails often serve as a gateway here. A Word, Excel or PDF file can turn out to be the key to the entire company network. Most of those who open these file attachments have no idea of the potential danger.
The Bait in a Spear Phishing Attack
The design and camouflage of the bait is a crucial element when it comes to deceiving the target in a spear phishing attack. The more convincingly an attacker disguises the bait, the greater the likelihood of success.
While the spear phishing attacks of the past were often limited to e-mails, today’s focus is increasingly on social media. Again, company employees can find themselves unknowingly interacting with spear phishers on a personal level, so that the victim communicates directly with the attacker. Here, too, is a way for victims to be spied on.
Professional spear phishing attacks are difficult to detect. In terms of content, they are usually prepared in such a targeted manner that it is very difficult for laypeople to detect them. This is where spear phishing differs from normal phishing, where for example, countless e-mails are sent indiscriminately in a so-called “shotgun tactic.”
How can companies protect themselves from a Spear Phishing attack?
Spear phishing attacks are a challenge, especially for IT security officers in companies. Because ultimately it is the individual employee who serves as the central weak point. Links and file attachments are opened frivolously without recognizing the actual sender. The same applies to false friend requests users receive via social networks. The recipient’s psyche is used as a gateway and their innate skepticism bypassed. Because it is so effective, the number of spear phishing attacks increases every year, which is why it is extremely important to educate and sensitize employees about the dangers of spear phishing.
1. Unmask Spear Phishing Attack
In order to protect yourself against spear phishing, e-mail notifications that request the disclosure of sensitive data should be ignored.
Neither a financial institution nor a service provider would ever ask their customers to reveal personal information via email.
The same applies to questionable messages or allegedly harmless links from alleged social media acquaintances—and in particular to cryptic addresses or URLs. But be aware that links that appear trustworthy can also be problematic.
2. Use Social Media With Caution
Perhaps you have seen a post on a pinboard on Twitter or Facebook that contained personal data. There are the strangest cases—from publishing a driver’s license to disclosing a bank statement, everything is out there. Even people presenting credit cards! Such people are just begging for a spear phishing attack.
Under certain circumstances, data can also be tapped using image recordings. This is especially true when sensitive documents are on a desk and end up as a photo on social media. Such cases must result from an employee who thoughtlessly posts a picture of his workplace. This scenario can often be found in practice.
3. Professional Protective Measures
The aforementioned protective measures are related in principle to human vulnerability, which of course serves as a primary gateway for a successful spear phishing attack. From a technical point of view, however, it also makes sense to introduce an IT security measure that offers companies extensive protection against spear phishing attacks.
With Advanced Threat Protection you can counteract sophisticated spear phishing attacks. Get information here.