What Is a Spear Phishing Attack? Definition, Process, and Prevention Best Practices

Spear phishing is defined as a form of phishing wherein attackers research specific targets and use the acquired information to forge authentic-looking emails. Any engagement with these emails might result in loss of sensitive data, malware downloads, or financial loss for the target. This article introduces you to spear phishing, how it works, and best practices to prevent spear phishing attacks in 2021.

Table of Contents

• • What Is Spear Phishing?
  • Spear Phishing Process: How It Works
  • Top 8 Spear Phishing Prevention Best Practices for 2021

What Is Spear Phishing?

Spear phishing is a form of phishing wherein attackers research specific targets and use the acquired information to forge authentic-looking emails. Any engagement with these emails might result in loss of sensitive data, malware downloads, or financial loss for the target.

Phishing is the fraudulent practice of impersonating a trustworthy party to collect sensitive information from unsuspecting victims. This is done by spoofing emails, voice calls, text messages, websites, or even Wi-Fi connections to make them look authentic. The first case of phishing was officially recorded in 1996. Since then, methods and modes of phishing have grown in parallel with the sophistication of everyday technology required to run an organization. 

Common types of phishing include:

1. 1. Email phishing is the most common type of phishing where attackers register a fake domain and send generic but genuine-looking emails in bulk to a large number of potential victims.
   2. Smishing involves targeting victims via SMS and instant messaging applications.
   3. Vishing involves voice calls where most attackers pose as credit card or insurance officials.
   4. Search engine phishing, also known as SEO poisoning, involves creating mockups of legitimate e-commerce or banking websites and working to make them appear at the top of search results. Unsuspecting victims click on these search results and feed data to fake websites.
   5. Spear phishing is email-based, with hackers sending customized, individual emails to chosen targets.
   6. Whaling is when the target is typically a high-ranking executive who is privy to confidential organizational information.
   7. Angler phishing is a very specific type of phishing where hackers select their victims from consumers who complain about specific services on social media and pose as customer service representatives.

Why do organizations need to be aware of spear phishing?

It is easy to ignore spear phishing as a threat, citing that it will probably never happen to ‘smart’ employees or bypass existing security filters. But spear phishing attacks are extremely subtle, and so much effort is put in to make them look legitimate that humans cannot be blamed for falling prey. 

If someone within the organization does fall prey, it might lead to:

1. 1. Loss of data: A well-organized attack can result in the loss of important user data or organizational data.
   2. Compliance-related issues: Regulations such as HIPAA and PCI DSS require organizations to securely collect, handle, and store user data. Erroneously handing over data to scammers can lead to compliance auditing and lawsuits.
   3. Lowering the brand’s reputation: Consumers tend to distrust organizations that are perceived as mishandling personal data, especially if done through human error.
   4. Bringing the system down: Spear phishing attacks have been known to bring down entire systems by compromising just one email account in the organization. No matter how robust the security system may be, emails are the easiest entry points for external actors to gain entry into an organization’s infrastructure.

A real-world example of how much devastation a spear phishing attack can cause is the 2014 attack on Sony Pictures. Using an initial flurry of phishing emails loaded with malware, attackers gained access to Sony’s networks. They used this coup to covertly collect information that formed the basis of an effective spear phishing attack. Emails were sent to specific targets pretending to be from Google, Facebook, and even recruiters from high-profile companies. At least one of these emails worked, causing the malware to give system access to the attackers. 

The perpetrators then launched an overt attack by overwriting vast amounts of data. Hard drives and master boot records of computers and servers were erased, rendering them all useless. The aftermath of this attack lasted for months. Salaries of around 6,000 Sony employees were leaked, along with scripts and copies of unreleased movies. Compromising emails of top executives were also leaked. 

Sony Pictures had to issue a data breach notification to employees whose personal details, including medical information, had been stolen. This led to a class-action lawsuit being filed by employees. Since servers were unrecoverable, forensic analysis of the attack wasn’t completely possible either, which means that the actual extent of damage is still unknown.

Also Read: What Is Phishing? Definition, Types, and Prevention Best Practices

Spear Phishing Process: How It Works

To prevent spear phishing attacks, it is important to know how they actually work. Let’s understand the steps involved in a spear phishing attack.

1. Find the target’s email address

Since spear phishing attacks operate through email, the email addresses of potential targets are crucial. Hackers go through publicly available information about potential targets to gain this information. 

Since corporate email IDs are secure with content filtering software, personal email IDs are also sought-after. If phishing emails are successful in getting through personal accounts in the company’s network, the hackers have succeeded in carrying out the attack. In many cases, email addresses are obtained from an older data breach. 

2. Set up shop with legitimate IP addresses for email domains

The easiest red flags to spot a phishing email are in the sender’s email address itself. Invalid-sounding email addresses will be filtered by the organization’s email filtering systems. To avoid this, phishers usually use legitimate-looking domain addresses. 

For example, if the attackers are trying to mimic Paypal, they might use an email address that looks like [email protected]Opens a new window (capital i instead of l). Some hackers also swap alphabets in the domain with similar-looking characters that generate a different Unicode sequence. For example, the letter T can be replaced by the Greek alphabet Taum, and the registered domain address is the Unicode version of this.  

Some hackers take the time to build the reputation of an IP address, and subsequently, the email domain, with genuine traffic and valid emails. This buys them time and reliability to avoid deny lists. 

Another mode of operation for hackers is to block IP ranges that belong to big tech firms, security companies such as Symantec, and even those used by popular universities. In most cases, hackers register and groom multiple domains so that when one is flagged, another one is ready to take over.

3. Scour the internet for personalization

As discussed, spear phishing differs from regular phishing by the amount of personalization put into the email content. This means using the right context, for instance, using the correct vendor’s or service’s name or details of an upcoming travel plan. This is done by harvesting individual information from social media, company information such as processes and suppliers from its website, and other information from press releases. 

The Dark Web is teeming with personal data, and some services gather data about targets at scale for spear phishing attackers to use. The more contextual an email is, the higher the chances of the attack succeeding. This is what makes spear phishing more dangerous than generic phishing.

Also Read: Whaling vs. Spear Phishing: Key Differences and Similarities

4. Create a sense of urgency in the communication

Spear phishing works well because it exploits both tech controls and human psychology. The main goal of a spear phishing attack is to make the victim act on something. This is best achieved by creating a sense of urgency that forces the victim to click a link or download a file. 

Urgency is best exacerbated by using:  

a) Fear: Most phishing emails are designed to instill fear regarding the consequences of inaction. For example, hackers may pose as a supplier and say that you will not be receiving your next shipment unless you update specific details. These emails threaten the loss of critical data, suspension of crucial services, or a dire personal consequence.

b) Sympathy: Some spear phishing attackers count on the human emotion of sympathy to create an action. For example, in 2013, the FBI warned people of a spear phishing scam in which the National Center for Missing and Exploited Children appeared to be sending emails with the subject line “Search for missing children”. These emails contained three malicious attachments.

Once the basic emotion has been established, these emails urge the victim to break company policy and do something out of normal. One example is resetting credentials through a standalone link instead of doing it through the actual portal. Others may break business protocol, for example, an email from a top executive asking for a vendor’s payment to be fast-tracked. Words such as ‘immediately’ and ‘ASAP’ are commonly used in such cases to highlight the urgency of the matter.

Common types of spear phishing emails mimic those sent by: 

a) Government: These can be emails about insurance or healthcare or from any federal government department.

b) Suppliers and vendors: Emails from organizations that the target does daily business with. For example, ‘your payment has failed, and we’re withholding our services, or ‘you may lose critical data if action is not taken’.

c) Friends and colleagues: These include emails sent by colleagues who’re traveling for work, purporting theft of passport and money.

d) Banks: The most common type of phishing emails appear like those from banks and other financial service providers.

e) Tax department: Since all enterprise employees pay taxes, this is an easy ruse. Emails appear in the form of eligibility for tax refunds, etc.

f) Security administrators: These emails are along the lines of ‘we are doing a security audit and would like to verify your account’.

5. Execute the actual attack

The actual attack might be inserting malware or collecting sensitive information. The sophistication of the technology used by spear phishers can vary based on the motive for the attack. This could mean anything from an attachment to a spoofed website.

A majority of the setting up is done with the help of phishing kits. These phishing kits are the web or backend components that are required to complete the scam. A basic service offered by phishing kits is mirroring legitimate websites using basic scripting languages. 

Phishing kits live on compromised web servers or temporary servers set up just for these attacks. They take care of setting up the email domains and the final landing page, if necessary. The dark web offers various phishing kits, with the most advanced ones having automated email personalization features.

As you can see, spear phishing essentially works by identifying the targets, hooking the targets by playing on their emotions, urging them to take a particular action, and then executing the intended attack.

Also Read: Spear Phishing vs. Phishing: Key Differences and Similarities

Top 8 Spear Phishing Prevention Best Practices for 2021

Phishing campaigns are best combated with a combination of human and tech controls. Here are eight best practices to prevent spear phishing attacks in 2021.

Spear Phishing Prevention Best Practices

1. Train your employees

A spear phishing attack’s success mostly depends on how the target employee reacts. This means that employees need to be trained to spot deliberately doctored emails. One way of training employees is to call for manual intervention, especially when it comes to critical operations. 

A manual intervention uses a second mode of communication to confirm the contents of the email. For example, if a high-ranking executive asks for payroll information, call that person to confirm the same. If a supplier emails about an issue, call to confirm the steps required for resolution.  

Employees must also be taught to look for subtle differences in emails, such as the email address itself and language issues. For instance, the signature of the sender may be different from what the real user usually sends. Unusual attachments are a big no.

Other forms of safety include actually logging into the portal to look for warnings instead of clicking on a password reset link in the email, manually entering the website name, etc. Employees must also be warned about the type of content they post online, indicating what sort of information can be used against them.

2. Follow good password hygiene

All account passwords, starting from email to service-specific accounts, must be strong (a combination of letters, symbols, and numbers) and changed at regular intervals. Passwords must never be stored in a publicly accessible, non-encrypted environment. They must not be shared with other employees in the same role, even if it eases the workflow. 

This is where identity access and management solutions come in. A privileged access management system strengthens the organization against any premeditated phishing attack.

3. Run phishing simulation tests

Phishing simulation tests are actual phishing campaigns carried out internally by the organization to gauge security and employee response. It is a sort of training to increase user awareness by sending actual, deceptive emails. 

Simulated phishing tests reduce the organization’s susceptibility to social engineering attacks. Phishing simulation tests help identify any holes in business policies, escalations, and communication plans, as well as potentially vulnerable assets.

Also Read: What Is a Security Vulnerability? Definition, Types, and Best Practices for Prevention

4. Use multi-factor authentication (MFA)

Multi-factor authentication uses more than just the traditional username-password authentication process to allow access to a specific asset, operation, or service. One example of widely used MFA is time-based OTPs to validate bank transactions. If critical functions have MFA in place, simply handing over user credentials will not give out important data. 

The attacker will need access to the user’s phone too. MFA doesn’t necessarily have to use phone-based second-level authentication. Other levels of authentication can include biometrics such as fingerprint scanning or facial recognition, physical key tokens, and software-generated tokens.

5. Set up multiple levels of security controls

An organization’s security controls should not let duplicitous emails in through the spam filters in the first place. This means having a good content filtering system that filters all traffic coming in and going out of the company’s network. Individual devices must also be equipped with anti-phishing and anti-virus software. Malware detection and removal programs are important too. 

If hackers succeed in bypassing these measures, the acquired information must not allow for easy data theft. This is done in the form of IAMs and PAMs, as mentioned before. Data loss prevention software must be installed to prevent unauthorized access to critical data.

Also Read: Top 10 Anti-Phishing Software in 2021

6. Establish secure business protocols

Security personnel need to be involved while creating business policies in the first place. They can help spot potential vulnerabilities in critical operations. Documented steps must be available for employees if an unexpected payment is to be made to a supplier. This process must include confirmation with the supplier or higher executive. Payment processes must involve multiple people with various steps of authorization. When an appropriate number of people are involved, phishing attacks tend to be less successful. 

7. Use email signature certificates

Email signature certificates allow users to digitally sign their emails using a third-party certificate authority. This allows for foolproof verification of the sender. It also allows for encryption for all email content, making it difficult to be intercepted. Without access to the certificate, hackers may not be able to mimic high-level employees.

8. Outline a communication plan

Every employee in the organization, including the CEO, must be aware of the escalation plan if they come across suspicious-looking emails. This would help thwart an organized attack in which multiple employees have received individual spear phishing emails. 

Most spear phishing attacks triumph simply because out of ten targeted individuals, just one person falls prey to the attack. Security teams also need a communication plan for swift intimation of phishing email details across the organization.

Also read: What Is Social Engineering? Definition, Types, Techniques of Attacks, Impact, and Trends

Takeaway

Symantec’s 2018 Internet Security And Threat Report (ISRT) stated that spear phishing is the preferred vector of attack. It was employed by 71% of organized criminal hacking groups in 2017. The amount of personal data available on the internet is increasing by the day, giving spear phishers the ammunition to craft increasingly subtle attacks. 

Organizations need to arm themselves and their employees with regular training and tested security solutions. If there is one thing that the Sony Pictures attack taught the world, it is that spear phishing emails have the potential to bring an entire organization to a grinding halt.  

Did this article help you understand spear phishing and how you can best prevent it? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!