What is Spear Phishing?
What's the difference between Spear Phishing and regular spam?
Unlike regular phishing emails which are sent out to masses of people at the same time, Spear Phishing is targeted at particular individuals. The goal is ultimately the same though; to lure the victim into clicking on a malicious URL, or to open an attachment.
What really sets Spear Phishing attacks apart is the degree of personalisation involved, hackers will including the victim’s: Name, Job-title, Company, or even mention colleagues or companies they work with. It is these clever customisations that make these attacks so much more likely to fool a victim than the average spam email from a wealthy Prince.
So Spear Phishing isn’t about petty crime or random theft, it’s a sophisticated and persistent attack, often by groups of highly skilled hackers for serious financial gain or the wholesale gathering of IP or customer data.
How does Spear Phishing work in practice?
Emails are sent from an apparently trustworthy source often a website with a large membership, such as Amazon, Paypal or Gmail. By limiting the number of targets, it's easier for hackers to include personal information gleaned from LinkedIn, Facebook and Twitter in the email. Piecing together this personal information is how hackers make a malicious email seem more trustworthy.
Typically, the target of Spear Phishing will be an individual with high-level authority and access such as a Sys Admin, CEO or CFO.
The message in the email may urge the victim to change their passwords to enhance security. However, they are actually being steered toward to bogus websites full of malware or ones which capture their credentials when entered.
Either way, the initial slip-up is all cybercriminals need to gain access to the victim’s networks and begin stealing the data they are after.
Real-life examples of successful Spear Phishing attacks
• In 2015, Ubiquiti Network’s finance department was targeted. Fraudsters tricked employees into believing that Senior execs were instructing them to transfer $40+ million in funds from a Hong Kong subsidiary to a third party, but the reality the third party accounts all belonged to the fraudsters.
• In 2011, Epsilon suffered a massive data breach. Employees responsible for email were targeted with emails that mentioned them by name, a link then took them to a malicious site where malware was downloaded onto their system. The breach wasn’t discovered for at least four months and led to data on 5 Million of their clients being breached.
How to protect yourself - Tips for individuals
Hover over the link before you click on to double check where the URL is taking you.
Don’t open suspicious attachments to e-mails especially if the sender is unknown.
Enable your browsers built-in phishing filter to help prevent the emails from being directly delivered to your inbox in the first place.
Be wary of e-mails that just don’t have the right tone or sound off out of the blue requests from colleagues or clients or bank requesting PII such as usernames or DOB over e-mail.
How to reduce the risk - Tips for businesses
Any IT system or network is only as secure as its users make it. Employees must be trained in Security awareness because they are the first line of defence against spear phishing attacks.
Educate employees not to open emails from sources they don’t know
Teach employees not to click on links or download attachments
Encourage employees to be conscious of how much information is shared online and on social media so they are less likely to fall victim to identity theft.
Institute a cycle of continuous awareness training
Choose a CREST Certified penetration testing company to run social engineering testing on your staff to see how they hold up against attacks in the real world