As cyber security companies work to step up their game to prevent cyber attacks and data breaches, hackers also continue to adapt their strategies, seeking new and innovative ways to scam victims out of thousands or millions of dollars. One way they do this is by using spear phishing attacks.
What is a Spear Phishing Attack?
Spear phishing vs phishing — you may wonder what the difference is between different types of phishing. Both are examples of online attacks that are performed for the express purpose of acquiring confidential information or conning organizations out of money. However, there is a significant difference between the two — how generic vs. targeted they are.
Unlike regular phishing, which aims to hook anyone willing to bite (think: Nigerian Prince), spear phishing attacks target specific individuals or organizations for a “long con.” TechTarget offers the following spear phishing attack definition:
“Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear-phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.”
Spear phishing attacks are far more successful than the untargeted efforts of generic phishing emails. According to a report from FireEye, “spear phishing emails had an open rate of 70 percent... Further, 50 percent of recipients who open spear phishing emails also click on enclosed links, which is 10 times the rate for mass mailings.”
Why are targeted phishing attacks so successful?
1. Each Spear Phishing Email Looks Authentic
Hackers spend a lot of time and effort planning their spear phishing attacks. They design their fake emails to look as accurate and authentic as possible to convince the intended victims that they are from a legitimate source. This means using imagery/graphics, design, language, and even email addresses that can pass as real without a thorough inspection. Because they don’t share a lot of the similarities of traditional phishing emails, these messages are often missed by spam filters and other email protections.
2. Spear Phishing Messages Target Each Intended Victim
Spear phishing emails are highly personalized and use specific information to lure victims into believing they are legitimate. Sometimes, these messages are tailored to look like they are sent by a manager or even a high-level executive. They also can be customized to look like they come from a trusted vendor with whom your company conducts business.
For example, a spear phisher posed as a legitimate Taiwanese electronics manufacturer, Quanta Computer. Over two years, the phisher conned two of the company’s major technology clients, Facebook and Google, out of more than $200 million combined for false invoices.
3. Spear Phishing Attacks Happen Over Time
Rather than trying to accomplish everything at once, spear phishers are patient with their targeted phishing attacks. They often use multi-stage attacks that involve malware downloads and data exfiltration which can be set up over weeks or even months.
According to CSO, spear phishing attacks can be broken down into three main steps:
- Infiltration — This can be done by directing users to click on a malicious link that downloads and installs malware or leads them to a fraudulent website disguised as a real one that requests vital information. Either way, the phisher can use the information or access they gain to log in to the user’s account.
- Reconnaissance — The phisher uses this opportunity to monitor and read emails to learn about the organization and identify key targets and opportunities.
- Extract Value — Using the information and knowledge they gain over time, or even using the compromised email account itself (à la an account takeover, or ATO) the attacker can launch spear phishing attacks.
4. Spear Phishing Leverages Zero-Day Exploits
When conducting spear phishing attacks, some hackers exploit zero-day vulnerabilities in browsers, desktop applications, and plug-ins. They use these methods to compromise the intended victims’ computer system to gain administrative access to the network and other resources, including personal and financial data.
5. Corporate Victims Often Lack the Right Tools
Many companies are not as good as they could be about keeping their cybersecurity protections — email filters, firewalls, and network-level protections — up to date. This creates gaping holes in their cyber defenses that hackers and inside threats (such as unhappy former employees or contractors with a grudge) can walk through. This leaves businesses vulnerable to all types of threats, including spear phishing attacks.
6. Companies Lack or Don’t Enforce Computer Use Policies
Computer Use or Acceptable Use policies should be things that every business has in place. However, that’s often not the case, and these rules are only effective when they are:
- Kept up to date,
- Followed by employees, and
- Enforced by the company.
Organizations that fail to educate employees about these policies or enforce them leave themselves vulnerable when their equipment is used for prohibited purposes.
7. Employees Are Uneducated/Ignorant of Phishing Risks
Many employees are ignorant of the threat that a spear phishing attack poses to businesses. Every day, companies around the world trust the safety and security of their business and customers to employees who don’t know how to recognize a targeted phishing attack — or, if they do, may not pay attention and click on a bad email anyway.
8. Companies Lack Anti Phishing Platforms Designed for Spear Phishing
According to a survey from The Ponemon Institute and Valimail, “Eighty percent of respondents are very concerned about the state of their companies’ ability to reduce email-based threats, but only 29 percent of respondents are taking significant steps to prevent phishing attacks and email impersonation.” Only 69% of the 650 surveyed IT and IT security experts report using anti-spam or anti phishing filters, with only 63% saying they use them to prevent impersonation attacks.
However, many of these types of filters are ineffective for spear phishing attacks because they are created to identify generic phishing tactics. This is why companies need to invest in anti phishing platform that is designed to identify spear phishing.
Why You Should Invest in Spear Phishing/Anti Phishing Services
As you can see, there are many reasons to invest in a targeted anti phishing service. Another equally (if not more) important reason, however, is that phishing itself is a compliance issue for any company that falls victim to a spear phishing attack.
In addition to costing them potentially millions of dollars in financial losses, corporations that don’t step up their internal controls to prevent phishing fraud can face additional costs in securities violations.
According to a report from the Securities and Exchange Commission (SEC):
“While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not.”
Clearedin is an anti-phishing service that protects users and organizations against these targeted spear phishing attacks. Our platform identifies spear phishing emails using an individualized Trust Graph of your organization’s chat and email communications platforms (Gmail, Slack, and Office 365) to catch these malicious emails before they hook your employees.