The first phishing attacks have been traced back to the mid 1990s with the rise of AOL. Hackers would get fake accounts and pose as AOL employees, instructing users to update their personal and billing data. The result? Stolen information.
As technology advances, so do cyberattack techniques, which makes it even more challenging to train your employees to detect an attack and protect your organization.
One of the most dangerous and prevalent techniques is a form of phishing called spear phishing. These targeted email attacks can damage a business of any size, but 54% of email scams target small businesses.
What is Spear Phishing?
Spear phishing is an email spoofing campaign that targets a specific individual or organization to steal sensitive information or gain a foothold on the network. It involves research up-front to create a believable email from someone the target trusts and interacts with on a regular basis. In most spear phishing attacks, the hacker researches everything from company culture and employee relationships to specific vendors or company processes in order to craft an attack that has a high likelihood of success.
This means that instead of delivering mass attacks, hoping that at least one person out of many will click or download the attachment, the attacker creates a threat that is more likely to cause the intended damage.
How Spear Phishing Works
Step 1: Identify Targets
Spear phishing, compared to a standard phishing attack, often has a goal that is bigger than individual credit card information or social security numbers. Spear phishing can be a hacker’s entry point onto a network for an advanced persistent attack or to give them access to sensitive, high-value data. This means they are careful to select a target that will have a high return if (or when) their attack is successful.
Step 2: Research
This is the key stage that differentiates spear phishing from a mass phishing attack. Imagine receiving a generic email from PayPal compared to receiving an email from your boss or IT director. An attacker dives deep into their targets’ lives, using social media and company websites to determine their method of attack in a way that increases the chances of its success.
Step 3: Purchase Domain
Once the attacker has determined their target and done in-depth research to frame their attack, they will often purchase a domain that is similar to a well-known site (along with an associated email) to link in their attack. Their malicious, but technically legitimate site and email address can ensure the delivery of phishing emails, instead of spam filters catching them.
Step 4: Craft and Send Emails
The next step is to craft the personalized email for the target user or audience. Often, the more specific, the better. The whole point of spear phishing is to make the email feel as natural as possible, raising no red flags in the mind of the recipients. These emails will contain harmful links and attachments or request personal or sensitive information.
Step 5: Wait for Access
Then it’s a waiting game as the attacker waits patiently for its targets to take the intended action, whether making a download, clicking a link, or supplying personal information. According to the 2018 Verizon Data Breach Investigations Report, it takes 16 minutes until the first click on a phishing campaign. With spear phishing attacks, it can be even faster, since the whole point is to look like an urgent request from a trusted source.
Step 6: Complete Attack Goals
From there, the hacker can complete the attack and accomplish their goals. This could be to gain access to the rest of the network to begin an advanced persistent threat or launch malware on the system.
The Trends of Spear Phishing
The whole purpose of spear phishing is to create a more targeted experience, no longer just sending out a mass email and hoping a few fish bite. In fact, 77% of spear phishing attacks are laser-focused. They target only 10 email inboxes, with 33% focused on one email inbox. But that doesn’t mean the odds of success go down. The more targeted the email, the higher the success rate.
For a typical mass phishing campaign, 4% of people click on the email links. But in comparison, at least 30% of spear phishing campaigns are deemed successful. Spear phishing attacks work, which means they will continue to be a growing presence in cybersecurity and a battle for IT professionals to fight. In fact, 42% of IT Security professionals consider spear phishing to be one of their top three cyberattack concerns.
The True Cost of Spear Phishing Attacks
The fact that 91% of successful breaches are due to phishing attacks should be enough to keep companies on the lookout, but the costs associated with these successful attacks are dramatic as well and can cause major damage to your organization.
An obvious cost that comes from spear phishing is the financial cost. 71% of breaches in 2019 were financially motivated. Spear phishing attacks are no different, even for small to mid-sized businesses. Numbers show that the cost of these data breaches can range up to $2.5 million for small businesses.
These attacks can quickly obtain valuable information like user credentials for personal or company accounts. Or they can gain access to other parts of the network, often going undetected for long periods of time, increasing their access to proprietary information.
Compared to a general phishing campaign, spear phishing campaigns cost 20x more per victim, and the return is 40x greater.
Not only do you suffer initial financial loss after an attack, but the consequences continue, resulting in a loss of future customers. According to a consumer survey, an average of one in four consumers stop dealing with a business after a cybersecurity breach, even if they don’t suffer a material loss. In a world run by data, and with consumers more aware of where their data is being saved and how it is being used, a spear phishing attack can be detrimental to your business. If not right away, then often in the long run.
Examples of Spear Phishing
While the general technique of a spear phishing attack (targeted and well-researched) is consistent, the methods can vary based on the specific campaign.
One type of spear phishing attack disguises itself as a file sharing email, sending a notification that a file has been shared with the target. However, these emails are specific, often saying that the file is shared by a contact in the target’s network, making it seem like a reasonable action. This could be your accountant sharing your W2 through Dropbox or your boss sharing an agenda for an upcoming meeting. The purpose is to make it reasonable for the target to click on the attachment or open the link to access the malicious file.
Many recorded spear phishing attacks have been quick emails disguised as employees at the target company. This could be a request to wire money when a CEO is out of the country or a need to update information for the IT team. Social networking makes it easy to build connections between individuals and track their activities. If requests come that seem out of the ordinary, it’s essential for the recipient to ask good questions, verifying that the action has truly been requested.
Other spear phishing campaigns come from an attacker posing as someone outside of your organization who you work or interact with on a regular basis. This might come in the form of an email from a partner company, a financial institution, or your law firm, to name a few. The method’s goal is to look as normal as possible, and email communication from a source outside your company might lead you to ask fewer questions or have fewer personal interactions with the individual the attacker is disguised as.
Whaling, another similar form of phishing, targets high profile individuals. This could be anyone in the C-Suite, typically anyone who has a high level of security clearance. This makes it easier for attackers to gain access to the entire network in order to steal the proprietary information they need to complete their goals. These attacks are still highly targeted, even more than a spear phishing attack that typically focuses on lower profile targets.
Notable spear phishing attacks
The number of spear phishing attacks continue to rise—the FBI warned that there was a 60% increase in 2018 in fake email schemes that aim at stealing money or tax data. Some notable attacks can help bring increased awareness to the potential threat.
Small Business W2 Scam
At the beginning of the tax season in 2017, a spear-phishing attack was launched across businesses of multiple sizes. The hackers sent out emails that looked like they were sent from corporate executives, requesting personal information for tax purposes. The scam compromised more than 120,000 employees at more than 100 companies. Cyber criminals impersonated the manager, senior level executive, etc. and created a fake email closely matched the individual’s real one.
Ubiquiti Networks and a New CFO
One such spear phishing attack took place in June 2015 involving Ubiquiti Networks. Their CFO had recently left the company, adding a layer of change at Ubiquiti that left them open to a spear phishing attack. Their new CFO received several emails from someone posing as both their CEO and their lawyer, containing banking details and authorizing payments. Throughout the attack, Ubiquiti made 14 wire transfers over 17 days to accounts in multiple countries. The result? They lost almost $47 million due to the attack.
$100 Million to a Fake Company
The biggest difference between spear phishing and mass phishing is the research and focus that goes into planning the attack. This was the case with an attack based in Lithuania that targeted two tech giants in the US. The attacker set up a fake company using the same name as an Asian manufacturer that worked with the companies. They forged letters, invoices, corporate stamps, and contracts and managed to steal $100 million from the companies. This campaign shows the lengths an attacker will go to when customizing an attack.
Ways to Spot Spear Phishing Attacks
A general awareness of the intricacies of spear phishing is the first step, but a deeper level of awareness is necessary to fight back against these new, clever techniques. After all, if a foreign prince asks your employees to wire money, they might be quicker to say no than if the CEO or a supplier does. The level of specificity and research makes it even more important to spot these attacks before they make their way onto your system.
- Incorrect email addresses. Even when the name is one you recognize, make sure the email address matches up. Because spear phishing uses research to know who the target communicates with on a regular basis, the attackers will pose as a fellow employee or a frequent contact. Verify email addresses if an email, attachment, or request seems strange.
- Incorrect URLs and spelling. If an attacker includes a link, they will often purchase a domain similar to the one they are scamming—it’s important to check for misspellings in the domain name. Taking a closer look before you click on the link can make a big difference in the outcome. If there is a hyperlink, hover over it before you click to see where it is taking you.
- Brand inconsistencies. Another red flag is inconsistencies in the branding of an email. If it’s from a contact at a company you work with on a regular basis, but the logo looks outdated or has a different feel than their typical emails, it might be worth a second look.
- Urgent or threatening language. Often the spear phishing email will contain language intended to rush someone into taking action or clicking the malicious link. If the email sounds urgent or threatening in an abnormal way, connect with the company or individual who sent it to verify it is real.
- Requests for financial information. Even if you handle financial transactions over email, double check before you transfer or wire money based on an email request. This could involve making a quick phone call or verifying all of the information before you send money. Spear phishing attacks are personalized and well-researched, doing all they can to look legitimate, so it’s worth the extra effort to make sure it is a valid request.
- Requests for logins. It might not be a request for money but a request for you to enter or update your login information. This should still be a red flag. It can be easy to act without thinking and type in a username and password, but that might lead to an attacker gaining a foothold on your network and causing even further damage in the future.
- Trust your gut. If your boss or CEO doesn’t typically ask you for personal information or to handle money via email, ask questions before you act. These attacks are so close to the truth that it might be easy to think that they are. But even if you have a slight suspicion, check before you click.
Tips for Spear Phishing Prevention
The number of spear phishing attacks continues to grow, and they successfully make their way past employee defenses. This makes it more important to create a plan to fight back and prevent these attacks. It only takes one person clicking on the malicious link or entering their credentials for an attack to successfully make its way onto your network.
Invest in employee education.
Your employees need to know how to spot the signs of phishing emails so they can avoid them and report them. But if they don’t have the training to know how targeted and sophisticated these emails can get, it will be a challenge to fight back. According to KnowBe4’s 2019 Phishing by Industry Report, the average phishing failure rate is 30% for organizations that have done no prior security awareness training. The good news? That number was cut in half after 90 days of testing and training, and after 1 year that average failure rate drops to only 2%. Provide regular training for your employees to keep these cyberattacks top-of-mind so they are continually aware of what to watch out for.
Limit personal information available online.
This can mean removing employee email addresses from your company website and offering a form for people who need to contact you. It can also extend to recommendations for your employees to keep their social networking private or limiting the personal information that is shared with the general public.
Don’t send sensitive information via email.
Have your company create a policy that personal or login information isn’t sent via email. This can set the standard for how this sensitive information is shared, so if an email request is made of your employees, they will be quick to realize something isn’t right.
Run a spear phishing simulation.
Another way to test your company preparation is to run a simulation to test your security defenses and your employee knowledge. Third-party vendors can run simulated spear phishing campaigns against your company to see where the gaps are in your employee training and security technology. It can be helpful to know where you need to perform better before an actual attack makes its way onto your network through employee endpoints. This can also put security top of mind for employees because they know what to look for and how to act within your processes.
Use multi-factor authentication.
Multi-factor authentication adds a layer of protection by prompting users to provide additional information (beyond their username and password) when accessing the network. So even if their login information is compromised, there is an additional layer of information that the attacker would need to gain full access onto the system. This can mean the difference between resetting a user’s password or launching an investigation into the potential attack.
Invest in endpoint security.
A single employee’s security risk can greatly impact your entire network. That’s why security technology at the user-level must be your first line of defense. Investing endpoint security technology such as next-generation antivirus can give you protection against ever-changing malware and help you monitor your endpoints, stopping an attack in its tracks before it spreads across your network.
Go deeper with detection and response.
What if a sophisticated attack makes it past your defenses? How do you find it and fight back? That’s where managed detection and response technology comes in. When an attacker uses legitimate user credentials obtained through a spear phishing attack, you need a way to detect it. This technology focuses on the behaviors behind the data and will detect abnormal user behavior and notify you before it causes additional harm.
The challenge is great, but not impossible.
The data shows these spear phishing attacks are a true threat, preying on a network’s weakest points in a sophisticated, targeted way. But that doesn’t mean it is impossible to overcome. With the right training and technology, your organization can fight back to protect your employees and network from spear phishing attacks.