By now, pretty much anyone who uses email is familiar with the term “phishing,” and is aware of the prevalence of phishing scams. However, the term “spear phishing”—and what it means exactly—might be a bit more elusive.
What is Spear Phishing?
Essentially, spear phishing is a more targeted and socially engineered version of a spray-and-pray, bait-and-hook, phishing email. If you think some phishing emails are hard to decipher from legitimate ones, you’d be amazed at the cunning deceit and trickery involved in a cybercriminal’s crafting of a spear phishing email.
Spear Phishing – Establishing the Ruse
Bad actors go to great lengths to research and craft their phishing lures with details and specifics that make an email in a key employee’s inbox appear genuine and deserving of a response. They research their targets—ones who typically have access to valuable data, finances, and the authority to make things happen—via social engineering sites as well as pages across the web and elsewhere in the public domain to put together a convincing story, or at least a convincing request, that increases the likelihood a recipient will be fooled by the proposal and act to their own detriment.
The consequences can be catastrophic. Check out this microlearning session to see how the USAID spear phishing attack led to a widespread malware attack.
Spear Phishing vs. Phishing
How do spear phishing attacks differ from standard phishing attacks?
While phishing is a general term that can apply to all forms of phishing, it is most often used to describe the generic approach cybercriminals use to lure in their victims.
Threats actors will often cast a wide net using a seemingly endless list of emails at their disposal, without focusing on any individual or group. This requires they use generic language that avoids specifics.
For example, saying, “You’ve won!” or “Your device is infected” doesn’t reveal any particular information that proves the sender is speaking to you, the reader, specifically. It doesn’t share where you entered the drawing or contest, and the warning message doesn’t identify what type of device you have. In typical phishing attacks, such details are left out so the messages will appeal to as wide and general an audience as possible.
Spear phishing, on the other hand, relies on the details of carefully crafted messages. It entails more work as each email that gets sent requires attacks to conduct enough research to customize their email missives to the extent they appear authentic. While a lot more toil is involved the diligence is often worth the reward.
Spear phishing vs. phishing is a case of quality over quantity, and the quantity can come in the form of tens of thousands of dollars if things go right and the target is, for example, a high-profile figure in a large enterprise firm’s accounting department.
So, where’s the greater payoff between the two? Well, cybercriminals don’t have too strong a preference and constantly employ both methods. They use mass phishing to try to increase their overall odds of success. And they employ spear phishing to increase their odds within a targeted group.
The more specifics an attacker includes, the more a general selection of recipients will immediately recognize the email as fraudulent or—at least—not pertaining to them. However, by the same token, the greater the detail the more likely a select group of recipients will view the email as legitimate and react according to the attacker’s wishes.
What is Whaling?
While spear phishing is a form of phishing, whaling is a form of spear phishing. In this case, the attackers are like Captain Ahab, the spear is a harpoon, and the target is Moby Dick.
Well, not exactly. But whaling attacks do focus in on sizable victims, such as C-level executives and those who hold the purse strings of successful corporations. Anyone who, because of their position, network, or authority to approve big dollars, is seen as a lucrative target.
Essentially, whaling is an even more specified form of spear phishing, that requires a bad actor to conduct a good deal of research and social engineering to produce a convincing ruse that compels the victim to act. That may entail providing funds, giving up their online credentials, or some other action that whaler is after. Whatever the case, the payoff can be eye-popping.
Understanding the Specifics of Spear Phishing
In spear phishing, there are three main areas where a bad actor uses specifics in an attempt to convince you of their credibility:
1. They are specific about whom they impersonate.
They may claim they are a title, i.e., your manager, or use a specific name after conducting online research of org charts. They may even use an email address that fools you into thinking they are who they say they are.
2. They are specific about their target.
Phishermen may choose a specific place of business, a team within that business, or an individual to directly attack. Through their research, these attackers may be able to persuade target recipients into trusting them enough to provide the information or take the action they seek.
3. They are specific about their request.
A spear phishing email will typically include an urgent call to action. For instance, it might implore you to update a password for a particular software program. If you use that software, you may unwittingly act quickly so you can continue working. And once you’ve taken the bait, attackers reel you in and do their damage.
What Helps Protect From Spear Phishing?
There are several things you can do to stay safe from spear phishing attacks:
1. Phishing Simulations and Lessons (Top Priority)
Teach and train your employees to properly identify phishing and spear phishing emails. Utilize phishing simulations that are directly paired with specific education about the test email they received so employees can learn what to watch out for.
2. Ongoing Security Awareness Training (Top Priority)
Teach and train your employees about the latest scams infiltrating inboxes in your industry. If your security awareness training is still referencing the Target breach of 2014 as a “current event,” you’re way past due for an update in training content.
3. Enable “Outside Your Network” Banners/Labels in Your Email System.
Labeling emails that come from outside your network can help employees be wary of a sender’s email that falsely claims to come from a fellow employee or internal department.
4. Effectively Communicate Change Management Rules
Develop firm instructions on how you will communicate any changes to employees. For example, language such as “We will never ask you to share your info/update your password in the following way…” That way if they receive instructions through a phishing email that deviate from your established practice, your employees will be suspicious and not fall for the ruse.
5. Embrace Person-to-Person Confirmations
Many spear phishing attempts focus on finance teams in efforts to have them wire money or send payments. Threat actors will impersonate customers, vendors, or fellow employees.
While it may be easy to impersonate someone via email, it’s much harder to impersonate them face-to-face. To better protect your organization, develop policies and follow practices that require person-to-person confirmation, such as approvals for wire transfers or invoice payments above a certain amount.
6. Don’t Overshare
Avoid oversharing details about things like your company’s org chart, which gives cybercriminals insight into your organization’s structure and informs them on whom they should attempt to impersonate.
Employees often overshare via email, particularly with “Out of Office” replies. These often include the contact information of others in the employee’s absence, and typically the dates the employee will be gone. This gives a threat actor an opportunity to pose as that employee on vacation using a “personal email” and appeal to the contact to help them immediately rectify an urgent matter.
The same goes with too much information sharing on LinkedIn, your corporate website, and other public venues where information on your org chart and other insider details might be leveraged for spear phishing attacks when fallen in the wrong hands.
7. Monitor for Account Takeovers
If your organization is like most, you have compromised usernames and passwords floating around on the dark web—and you may not even know it. For now, you may not notice any suspicious activity with the account, yet cybercriminals could be lying in wait for the right moment to make their attack.
As a result, it’s vitally important to implement account takeover monitoring within your organization’s IT security processes. Quickly discovering and updating an account once it’s been compromised can be the difference between thwarting an attack and having to recover from an incredibly painful and costly ransomware battle.
How to Stay Safe from Spear Phishing, Phishing, and Whaling
Sound cybersecurity policies and documented practices are great start to fending off the various forms of phishing attacks, but they don’t hop off the page, tap your employees on the shoulder, and warn them when they are being attacked.
To keep employees engaged and ensure they know of what to be wary, you need ongoing security awareness training on current threats, scams, and trickery. Only then will employees remain prepared to identify these tricks and effectively defend against them.
If you’d like to see how an ongoing security awareness program can empower employees to better defend themselves against attacks like spear phishing, have a look at Arctic Wolf Managed Security Awareness®