You’ve probably heard the term phishing thrown around during your annual security awareness training. As its homonym implies, phishing is similar to the relaxing repast some find in the actual fishing activity where a hook is dressed up with a tempting morsel in the hopes of baiting an unsuspecting person who will happen along and bite. However, it’s a growing and persistent problem.
ProofPoint’s “State of the Phish 2022” report found that “According to respondents the 2021 threat landscape was more active than 2020. Reports of phishing attacks were up across the board. Indiscriminate ‘bulk’ phishing attacks rose 12% year over year.”
Just like there are a variety of techniques and modalities to the traditional cane pole fishing such as cast fishing, fly fishing and so on, there, too, exists many variations of criminal phishing.
Spear phishing is one such technique that - like its physical namesake - is more selective and targeted than just throwing out a bait and waiting for any random fish to come along.
Spear phishing actually selects its target purposefully whether it is an individual or a selected group of individuals, such as a company manager or executive or the junior hires in the finance department. You can find examples of spear phishing attacks here. The aim of such targeted attacks is to create customized messaging to ‘personalize’ and better sell the ruse of the communication to strengthen trust. The end game of this criminal endeavor is getting the individual or group to take a specific action that leads to either a breach of sensitive information, unauthorized access to a device(s) or an unwitting financial payout to the criminal organization.
Specific to spear phishing, ProofPoint further found that “...increases in targeted attacks were even higher: reports of spear phishing/whaling and business email compromise - which includes payroll redirect and supplier invoicing fraud - were up 20% and 18%, respectively.”
Microsoft reports that “Spear phishing techniques are used in 91% of attacks”. This type of attack works and is definitely a threat that all businesses need to be mindful of when educating themselves and their employees.
As indicated previously, a top level view on the difference between spear phishing and a regular ‘run of the mill’ phishing campaign can be understood from the different tactics for fishing. Cast fishing with a net attempts to catch volume and simply targets whoever may be in the area swimming on by. There wasn’t a specific target in mind, just as long as the (criminal) fisherman catches something in his net.
Spear phishing, however, is similar to one who identifies a specific target at the exclusion of all other fish and waits, watches, and tracks the prey until the moment to take action (or release the spear). There is much prep work that precedes the actual spear phishing attempt.
The cyber criminal learns about the victim(s) and researches important details through open-source intelligence, such as social media, to craft the attack in a convincing manner to manipulate (aka social engineer) the victims to either disclose confidential information, change important details, download malware or approve payments (unwittingly) to the cyber organization.
A few differences between regular phishing vs spear phishing Tactics
Regular Phishing Tactics |
Spear Phishing Tactics |
No specific target but rather focuses on casting a wide net - the more volume the better. |
Personalized attack that targets a specific individual or a group of individuals. |
Little, if any, research is done to learn about the victims - it’s more of a “Spray and Pray” approach. |
Detailed research is done before to better understand the target and how to build an effective attack. |
Generic, random messaging is used such as “Blow out sale!” “Account closure!” |
Messaging impersonates a trusted contact using facts learned in the research stage. |
Typically, attacks are what’s thought of as Spam/Bulk Mail. Many of these types of attacks get filtered by email providers. |
Sophisticated attacks that have been planned out and designed to evade technology detection. |
Usually only one method of communication is used (email only or phone only). |
Employs several different channels of communication to give more legitimacy. |
Due to the very personalized nature of a spear phishing attack, it makes it much harder to defend with technology than the typical mass campaigns that make up general phishing attacks.
Check out the brief walkthrough below when Donna’s work account (she works in marketing) was hacked from someone posing as an executive in her company. The attacker chose someone whose name she would be familiar with but she doesn’t report to directly. This example is important to understand because it isn’t always the ‘obvious’ departments that may be targeted - anyone can be used as a means to an end in the larger scale of the attackers plans, so it’s important every team member is trained to identify unusual communication and know what protocols to follow.
If spear phishing is a targeted attack, then whaling is much the same except the target is a very high profile executive (ex. CEO), high worth individual or a celebrity. The bigger the fish, the more elaborate and sophisticated the attack. In this instance, it requires even more research and planning to execute a successful phish.
While the tactics may be more involved, the end goal is the same - cyber criminals trying to either illicit private information or data, get a pay out or install malware for further attacks. To put it into perspective how lucrative whaling is, a report by PurpleSec in its 2021 Cyber Security Trends, CEO Fraud was a “$12 billion dollar scam.”
A real-time hack of billionaire co-founder and former CEO of Dreamworks, Jeffrey Katzenberg, was performed recently (with permission!) to illustrate the step-by-step process and how anyone - even with a seemingly low digital footprint - can be a target.
Now that we have a better idea of what spear phishing is, let’s break down a little more how it works so that you may better identify potential attempts to do so in your business.
Essentially, the process is:
1 - Identify the target
2 - Gather information on the target (Find the data)
3 - Create a credible campaign (Use the data)
Firstly, attackers need to identify the specific target for a spear phishing attack. For a specific company, they may map out who the key authority figures or managers are and then work out to find a broader network of people whom the target interacts with - perhaps in the same departments and/or other personal connections. Alternatively, attackers may research who the service providers are for a company or department and use that in building their impersonated identity.
Part of the research includes data that’s publicly available (aka OSINT - Open Source Intelligence) such as press releases, company social channels, and news articles to identify key stakeholders.
From there, they will proceed to dig down into these identities utilizing information from data breaches and data brokerage sites to get contact information to use in the attack. Additionally, attackers will scour social media sites of these connections for any other insights to help them build the proper persona to effectively impersonate a connection.
Along with personnel data, attackers look at the devices in use by the targets and determine what existing vulnerabilities might be exploited. In the case of the billionaire Jeffrey Katzenberg they discovered his laptop had not been updated with the most recent security patch so his computer was still vulnerable to a particular known exploit.
All that was left was setting up the lookalike website of a company with whom Jeffrey’s organization worked along with the impersonated colleague of his. This fake site would be used for getting Jeffrey to click a link that would open his computer to have sensitive data stolen from any site he was logged into - yikes!
Now all that is left is to go live with the phish to get a bite. Armed with details familiar to the target such as names, emails and even potential past working knowledge from previous engagements (obtained in the research phase) the criminals engage the target with various forms of communications.
Referring back to the Katzenberg example, the ethical hacker both made a phone call and sent an email posing as a trusted colleague of Katzenberg’s. The call and email presented an urgent situation calling for Jeffrey’s immediate action and as the communication was seemingly from a trusted individual, the requested action was made (by clicking on the link sent) which unknowingly made much of his personal information openly available.
Thankfully, in the case of the billionaire Jeffrey Katzenberg this was for educational purposes and done by ethical professionals but it’s a great case study for understanding how even someone who is careful of keeping a low digital profile can be socially engineered through the very targeted spear phishing attacks.
So how can we make stronger habits to keep our distracted brains in check to prevent falling for a spear phishing attack?
All the basic red flags for a regular phishing attack still apply:
Spear phishing is such a personalized type of attack that standard technology protections do not easily defend against it. One of the best methods of defense against these targeted attacks within your company is to ensure your company employees are educated and engaged in regular security awareness training. Building a company that cultivates a positive culture of security greatly reduces a business’s risk when everyone commits to implementing good online hygiene practices on a regular basis.
If you’re not sure how to start, Wizer’s short and to the point security awareness videos help train your team for free while making the information relevant and easy-to-understand.
Additional resources to help prevent Spear Phishing and other Online Attacks:
Fundamentals of Security Awareness Training Webinar
Guides to Implementing a Security Awareness Training Program
How Government is Supporting Secure Teleworking (Work from Home)