What Is Spear Phishing?
How often have you been asked: “What is spear phishing, and how can I protect myself from it”? Well, if you work in this office, the answer is - a lot. So let’s start with the basics.
Any attack using email with the intent to obtain sensitive information, cause financial loss, or install malicious software (malware) on the user's device is a phishing attack. These strikes represent an attempt to exploit a victim using email messages to trick them into believing the initial contact is coming from a reputable source.
Phishing attacks can be split into three categories according to their target:
- Phishing attack: No specific target, aimed at anyone it can reach
- Spear phishing attack: Targeting specific individuals regardless of their position
- Whaling attack: Targeting prominent individuals
What Is a Phishing Attack?
All phishing attacks are engineered to trick you into believing they’re coming from a trusted source; in most cases, they attempt to impersonate a government body or reputable service. Basic phishing attacks aren’t targeted at anyone in particular - they compromise whoever they can reach, and they’re very effective - 90% of company security breaches occur due to phishing.
What Is a Spear Phishing Attack?
Spear phishing attacks target specific individuals or businesses: The difference between phishing and spear phishing is in the way the email is engineered and the specificity of the target. Spear phishing emails are created to represent somebody from the company, usually a higher-up or co-worker asking you to do something urgently.
What Is a Whaling Attack?
As its name suggests, a whaling attack is an attempt to exploit a victim using email messages, but the target is a high-ranking member of an organization. Usually, whalers try to pose as another company or service, prompting the user for urgent action.
But how do these attacks hide their original address to prevent being tracked and classified as spam? The answer is email spoofing.
Email spoofing is a way of hiding an email’s original sender from the recipient. This can be done by changing the email header; still, a fake would be easy to spot upon closer inspection. That’s part of the reason attackers amplify the urgent tone of the email, to stop you from checking the sender's address.
There is another way to hide the original sender, but it relies on malware. For example, say a user - let’s call him Bob - gets a spear-phishing email with an infected file, and downloads said file to his device. Without Bob's knowledge, malicious software now has access to his email address book and starts sending out emails to his co-workers and friends. Luckily, such emails are easier to track down and neutralize, as current anti-virus software can easily identify attached malicious files.
Example of Spear Phishing
Since most official emails use combinations of the employee's name with the company or organization’s domain, attackers will first conduct a reconnaissance attack to identify how this rule works in a specific firm. Once they determine which emails don’t bounce back, they know where they can send their packages. Other good sources of addresses are the company and employee social media pages.
Their next step is to figure out the email messaging structure used in the office. For that purpose, they’ll try to gather out-of-office emails or check if recent data leaks have any data from the targeted company they can use.
Once the attacker has enough information, they will launch a spear-phishing email at an unsuspecting individual by impersonating higher-ranking individuals they managed to identify and gathered enough data on to imitate them successfully.
Most spear phishing attacks rely only on social engineering to trick you into believing you’ll be in trouble if you don’t act immediately. Just remember - rash actions lead to bad decisions.
Anti-Spear Phishing Security Measures
No program can stop all the spear-phishing attacks, since they are made to look like an actual email sent by someone you know. Still, that doesn’t leave you completely exposed - your last line of defense is yourself!
How To Protect Yourself from Spear Phishing Attacks:
- Check the sender's email
- Examine attachments before downloading
- Don’t rush with “urgent” emails
- Verify if the email is real
Investigating Sender Email
As mentioned, spear-phishing emails will use spoofed addresses to trick you into believing they’re real. If you can only see the sender's name instead of the entire email, hover over it with your mouse, and you’ll be able to see the underlying address. Watch out for any spelling mistakes or peculiarities: For example, attackers will often use 0 instead of the letter O, or the “rn” combination to trick you into thinking it says “m” (e.g., “arnazon” or “amason”).
Spear phishing attacks usually involve embedded malware; be careful when downloading any .exe, .zip, .pdf, or Microsoft 365 files. Check the file extension, and scan it before downloading if possible - if the message says there’s an Excel file attached, it’s not normal for it to be ending in .exe.
If the email subject includes: Urgent, important, request, and similar, double-check everything. No matter how urgent a real-life task is, taking five minutes to cover all your bases won’t change anything.
Still unsure if the email is genuine? Contact the sender through another avenue. If it’s an online service, you can reach back out to them using contact information from their website. If it’s a company email, contact your IT department. If you can’t find a way to verify it - don’t engage further, and definitely don’t download any files from it.
What if You Interacted With a Spear Phishing Email?
Opening and viewing an email won’t harm you, but what if you downloaded the attachment or clicked on the provided link? Since we can’t cover all the scenarios, here is a short list of things you can do to minimize the risk:
- Disconnect from the internet.
- Do not interact with the downloaded file or web page
- Perform full scan using antivirus software.
- Contact your IT department.
- Change your passwords using a different device.
Spear Phishing Prevention
Attack methods keep evolving each day, and we need to stay up to date with the current practices to prevent vulnerabilities.
Phishing attacks use human engineering (i.e., social techniques, not software) to avoid most security software. To combat that, we need to strengthen our human element: Knowledge is power, so stay up to date with the current security threats and ways to combat them, and you will be much better prepared to keep your private data safe.
Keep your security software up to date. If you don’t have any, get some. In today's market, you can find plenty of decent antivirus software, and it might even be free for non-commercial use. At the end of the day, it’s always better to have some protection than none.
Two Factor Authentication (2FA)
Spear phishing emails often include links to websites where you will enter your credentials to log in, but nothing will happen (that you can see) because the website isn’t real. It’s there to steal your login info; however, if you have 2FA enabled, without access to your cell phone for authentication, they won’t be able to do much. If this happens, you should be safe, but change your password for that particular platform nonetheless.
Limit the amount of personal data you share about yourself and your company on social media. The less the attackers know about you, the less they can use against you.
Spear phishing emails target one individual; phishing emails are a more general attack, and don’t have a designated target. They are sent in mass to random users and are known as shotgun phishing.
There are a couple of scenarios that keep recurring with spear-phishing attacks:
- Somebody is trying to impersonate a higher-up to get an underling to provide sensitive data or perform a wire transfer, with an urgent overtone.
- Another popular spear-phishing email tactic is for the attacker to impersonate an online service you are subscribed to, telling you to change your password or reprocess a payment immediately.
- Someone claiming to be your co-worker is sending you a very imported file you need to check right now. Once you download the file, it turns out to be malware.
You’ll notice that all the methods are relying on a sense of urgency to stop you from confirming if the emails are authentic. Don’t fall for it - nothing work-related is so urgent that you can’t take a few minutes to make sure it’s genuine.
Spear phishing targets a specific individual with the intent to gain access to sensitive information, cause financial loss, or install malicious software, usually ransomware. It’s called that because it’s not as random and extensive as “regular” phishing.
Your email address will not be published.*