Spear Phishing 101:

What It Is and How to Prevent It


Introduction

What Is Spear Phishing?

How Spear Phishing Works

How Spear Phishing Targets Are Chosen

Types of Spear Phishing

How to Identify Spear Phishing

You Clicked on a Phishing Link: Now What?

Spear Phishing Prevention: The Basics

Introduction

What is spear phishing? Among the many types of phishing scams, spear phishing remains the most popular avenue for attack, used by 65% of all known threat actors. Unfortunately, employees tend to be the weak link in most businesses’ anti-phishing strategy.

The FBI Internet Crime Complaint Center (IC3) received a record number of consumer complaints in 2020. Phishing scams were prominent, receiving 241,342 complaints and adjusted losses of over $54 million. The number of ransomware incidents also increased, with 2,474 incidents reported.

In this article, we’ll break down everything you need to know about spear phishing: you’ll learn how a spear phishing attack works, how targets are chosen, common methods of attack, and what steps you can take to protect your business.

What Is Spear Phishing?

Spear phishing is a type of scam in which cybercriminals send highly customized emails to specific individuals within an organization. Spear phishers portray themselves as known or trusted people or entities, fooling victims into providing sensitive information, sending money, or downloading dangerous malware.

Spear Phishing Vs. Phishing

Both phishing and spear phishing are cyber-attack methods that attempt to attain sensitive or confidential information online. Whereas phishing attacks are general, spear phishing attacks are targeted.

A scammer can send one phishing email to thousands of recipients at once, casting a wide net in trying to snag victims. But spear phishing attempts to target vulnerable individuals using specific lures and personal information to establish trust.

What Makes Spear Phishing So Effective?

Over time, phishing scams have evolved from laughably easy-to-spot “Nigerian prince” scams into well-researched and remarkably effective campaigns that are difficult to detect and stop.

By using social engineering techniques, scammers provide information that lends credibility to their emails. They use this leverage to create believability, hoping to convince an innocent victim to believe their scheme and cooperate.

Why Is Spear Phishing So Dangerous?

Once scammers convince their target that they are trustworthy, they may gain access to sensitive company data, banking or credit card information, and wire transfers. This can cause wide-ranging fraud and system security infiltration.

Experienced spear phishers are remarkably effective in gaining footholds they can use to begin advanced persistent threat (APT) campaigns that wreak long-term damage.

How Spear Phishing Works

There are several ways spear phishing attempts can be carried out. Common methods include:

  • A spear phisher sends an email to their target. That email may include malicious links or attachments that the target will be asked to open, downloading malware or ransomware to their computer.

  • A spear phisher sends an email that directs the target to a spoofed website in which the target is asked to provide personal or confidential information such as PINs, account credentials, or access codes.

  • A spear phisher poses as a friend, co-worker, boss, or other trusted entity asking for access to social media accounts or usernames and passwords to glean information that they will use to exfiltrate data elsewhere.

How Spear Phishing Targets Are Chosen

Scammers choose spear phishing targets based on what information a person may have access to and what information they can gather about that person. Spear phishing targets are usually not high-level executives or decision-makers. On the contrary, spear phishing targets are explicitly chosen for their lack of knowledge or experience so that the scammer can manipulate them more easily.

Lower-level or newer employees may not be aware of policies or procedures they must follow that may preclude a spear phishing attempt, making them easy victims.

Another category of spear phishing target is not the conventional “Very Important Person,” but rather a “Very Attacked Person.” These targets are chosen because they are likely to have access to sensitive and confidential information, and they get a large volume of emails everyday that they execute on almost from muscle memory. These targets include users like Chiefs of Staff to the C-team, accounts payable teams, payroll teams, and HR employees.

Types of Spear Phishing

There are many different types of phishing scams. The most common techniques used in spear phishing include CEO fraud scams, malicious links and ransomware attacks, clone phishing attacks, and brand impersonation attacks.

CEO Fraud Scams

Would you say no to an urgent request from your boss’s boss? Criminals often target key individuals in accounting and finance departments using CEO email fraud and Business Email Compromise (BEC) scams. Scammers impersonate CEOs and company officers, using their influence to trick employees into purchasing gift cards or wiring money to external accounts.

Malicious Attachments and Ransomware Attacks

If you receive an email with attachments or links that look suspicious, don’t click them! An easy way to confirm link integrity is to hover over the link, which will display the link’s complete address. Even legitimate users can unknowingly pass on malicious links, so always check the source of a link or attachment to be safe.

Clone Phishing Attacks

In clone phishing attacks, the attacker creates an “update” of a legitimate email message, hoping to trick the recipient into thinking it’s real. However, the scammer inserts a malicious link or attachment into the email in place of the original one.

Brand Impersonation Attacks

Attackers often impersonate trusted brands and service providers in emails that replicate common email workflows that we legitimately receive from these brands. Instead of genuine links, however, scammers insert links to spoofed login pages in these emails to steal victims’ account credentials. Examples of brand impersonation include banks, shipping companies, and even video streaming services.

How to Identify Spear Phishing

Use our SPEAR method to easily identify a spear phishing attempt:

  1. S

    pot the sender

  2. P

    eruse the subject line

  3. E

    xamine links or attachments

  4. A

    ssess the content

  5. R

    equest confirmation

Spot the Sender

A commonly used tactic in spear phishing involves sending an email from a domain name that looks like a well-known business or organization — but isn’t. For example, lowercase letters “r” and “n” next to each other can look like the letter “m” at first glance (like “walrnart,” “arnazon,” or “bankofarnerica”).

If you don’t think you could be fooled by something so obvious, think again. Even the sharpest users are often fooled by this method, especially if they regularly get real emails from spoofed companies.

Peruse the Subject Line

Subject lines in spear phishing emails attempt to strike urgency or fear to prompt the recipient to act quickly. Using words like “Important,” “Urgent,” or “Account Past Due” are common red flags used to garner attention.

Creating a sense of familiarity or using language like “Request,” “Follow Up,” or “Fwd:” attempts to make the recipient feel that a relationship exists or a conversation has already occurred.

Many scammers employ long-term spear phishing strategies, building relationships that ultimately pay off in achieving their goals — and often bringing companies to their knees in the process.

Examine Links or Attachments

Spear phishing emails often include embedded malware in .zip files, .exe files, PDFs, Excel, and Word documents. Also, be on the lookout for forms that request sensitive information, even if they seem trustworthy at first glance. Attackers use free online services like Typeform and Google Forms to collect sensitive data while also getting past email security filters.

Assess the Content

If you’ve ever received an email containing information about you from someone you purportedly know, remember that what seems like personal information can easily be found online.

Scammers can glean addresses and phone numbers, names of family members, and even pet names from public records and social media accounts.

Request Confirmation

If you’ve performed all of the above checks but something still doesn’t seem right, go with your gut. Rather than reply to a suspicious email and risk a spear phishing attack, send a new email to the address you have on file to confirm whether a request is legitimate. If you have the sender’s contact number, you could also call or text them to double-check your suspicions.

So, you accidentally clicked on a phishing link. What should you do next to minimize the damage? While steps may differ depending on the type of link you clicked, here are some general DOs and DON’Ts:

  • DO NOT

    enter any data

  • DO

    disconnect from the internet

  • DO

    perform a full scan of your machine using antivirus software

  • DO

    change your passwords immediately

  • DO NOT

    hesitate to alert your IT security team

Spear Phishing Prevention: The Basics

The best offense is a good defense. While you may not avoid all cybersecurity incidents, having an airtight security plan is an excellent place to start.

Provide Security Awareness Training

Knowledge is power — but only if you use it correctly. Training employees on security measures isn’t a one-and-done proposition. With the sophistication and constant evolution of cybersecurity threats, it’s imperative that employee awareness training is an ongoing process.

Consider adding cybersecurity information to onboarding procedures and new employee reference materials. Administer regular refresher training for all employees — including management — to keep your sensitive data and systems safe.

Use Multi-Factor Authentication (MFA)

Using multi-factor authentication (MFA) can significantly reduce the impact of spear phishing attacks. MFA requires a user to provide two or more identity verification factors to access protected resources, decreasing the likelihood of spear phishing success.

Even if a password is compromised, it’s useless without the additional required authentication steps. However, it’s also important not to reuse the same password across multiple accounts, which we’ll expand upon in the next section.

Implement Strict Password Management Policies

According to a Google survey, only 45% of Americans would change their password to an online account following a known data breach. Having loose (or non-existent) password management policies puts your business at risk. Here are some password policy best practices to consider:

  • Use password management software, such as LastPass

  • Prohibit password sharing

  • Create password complexity and minimum length standards

  • Require unique passwords or use a password generator

  • Set maximum password age

Maintain Regular Backups and Security Patches

We cannot overstate the importance of running regular backups and installing security patches. Recovering your data after a breach is impossible if there are no data backups to restore. Patch management keeps your software up to date, providing additional security measures as they become available from software manufacturers.

Install Email Security Software

Last but not least, investing in a trusted email security software is your best bet in thwarting spear phishing attempts. Email security software helps protect your human layer from compromise, identifying common attack signals over email and other cloud office applications and remediating threats before they cause harm.

Spear phishing will continue to increase in sophistication and volume for the foreseeable future. Make sure you’re practicing anti-phishing strategies to protect your company — and your employees — from data breaches, identity theft, and corporate espionage now.

To learn more about how to stop targeted email attacks like spear phishing, read our Office 365 focused whitepaper below: