Spear Phishing: Risks, Impact, and Prevention with Passwordless Authentication

Introduction

Cyber attacks come in many forms. Their objectives are to breach existing systems to obtain sensitive information for malicious purposes. Spear phishing is a targeted form that involves more research in designing the target list and phishing message. As opposed to other forms of cyber attacks, spear phishing typically focuses on a small number of targets to evade automated filters. In addition, spear phishing is more sophisticated, with messages being more personal and the malicious call-to-action playing on emotions such as curiosity, fear, or rewards. The precision of these attacks is almost surgical, so addressing them is of the utmost importance.

The risk is high. Sensitive information, a business’s reputation, and financial losses are at stake. According to IBM, phishing ranks as the second most expensive cause of data breaches to companies, costing them an average of $4.65 million per breach. Passwordless authentication can prevent and avoid spear breaches. 

What is Spear Phishing

According to the US Director of National Intelligence, a “spear phishing attack is an attempt to acquire sensitive information or access a computer system by sending counterfeit messages that appear legitimate.”  Either a specific target will be the victim or a group, and often

will include information known to be of interest to the target, such as current events or financial documents. 

Spear phishing attacks come in different forms. However, the most common phishing attacks are fake websites, impersonation, malware, smishing, and vishing. 

Fake website

Cybercriminals will deceive a victim with a carefully crafted email leading them to a spoofed website and have them enter login credentials. 

Impersonation

An attacker will gain control of the profile or email account familiar to the victim, such as a colleague, supervisor, or c-suite executive. Once the attacker has control of this profile, they will ask the victim to urgently complete a task such as transferring funds, downloading an app, providing login credentials, or transmitting sensitive information. 

Malware

These attacks entail an attacker attempting to trick the victim into clicking on a malicious email attachment. Usually, this type of attack is carried out with a fake invoice or delivery notification.

Smishing

The victim is misled through an SMS or voice message that directs them to click on a link, update their account details, or change their password. The link will take them to a phishing website.

Vishing

involves the cybercriminal calling the victim and leaving a voicemail urging them to call and hand over personal information, usually by impersonating someone from a trusted company.

The dangers of spear phishing are far too many, as it relies on familiarity, pressure, and misleading tactics. It can start by targeting an individual, and once the cybercriminal has duped an individual victim, they can move on to a larger group or an entire business.

The Impact of Spear Phishing Attacks

The sophistication of spear phishing has successfully led to big world-renowned companies falling victim to it, costing millions of dollars while revealing sensitive information and dinging their reputations. 

One of the most well-known successful spear phishing attacks was in November 2014 against Sony Pictures Entertainment. North Korea reportedly backed the attack in retaliation for releasing The Interview, a comedy about two Americans who assassinated North Korean leader Kim Jong Un. The hack was allegedly carried out by a group called “Guardians of the Peace.”

The hackers used phishing emails to breach Sony’s network. According to an analysis, “many top Sony executives, including Sony Pictures CEO Michael Lynton, received fake Apple ID verification emails in mid-September that contained a link to ‘ioscareteam.net.’” 

Once the victims visited the spoofed domain, they were prompted to enter verification credentials such as passwords and usernames. That is all it took for the hackers to steal login credentials and access sensitive information. Once the hackers maliciously entered Sony’s system, they leaked private information and emails to journalists that were detrimental to Sony’s reputation. Some emails revealed “name-calling,” “lying,” and harsh words against production executives and celebrities. Sony’s network was down for days, and employees had to work on whiteboards to complete their jobs.

The attack cost Sony $35M in IT repairs. The consequences were not limited to financial losses. As a result of the spear phishing attack, Sony was caught in the middle of a political storm. Hackers threatened Sony with “physical acts of terrorism” if it did not cancel the release of The Interview. Initially, Sony conceded to the hacker’s demands but relented when President Obama criticized them for the dangerous path and precedent they were setting by giving in to cybercriminals. 

Ultimately, the film was released online and in select theaters, but the damage had been done. Nevertheless, there are essential steps and precautions businesses can take to avoid spear phishing attacks. 

Passwordless Technologies: The Antidote to Preventing Phishing Attacks

The Sony Entertainment spear phishing attack and many like it have a significant vulnerability and flaw: passwords. Passwordless authentication is a login method that relies on other factors besides passwords ranging from login keys to biometric data such as a fingerprint or a facial recognition system. 

Various authentication methods are in use instead of a password-only process, each of which has advantages. One of the most known and secure is biometric authentication, which includes but is not limited to fingerprints and facial recognition. Another is cryptographic authentication, relying on a smartphone or physical security key and a FIDO server as an intermediator between the authentication process. You can read more about passwordless authentication methods here. 

Passwordless authentication methods avoid the mishaps of password-based systems by removing the main flaw—passwords—from the equation and increasing security while being more convenient and easier to use. In addition, eliminating passwords among users can improve their experience and leave virtually no room for error, which can be costly for businesses. For example, passwordless authentication could have prevented the spear phishing attack since passwords and login credentials unlocked the Sony Entertainment attack. 

Multi-Pass is a passwordless authentication method that is secure, fast, and easy to use. Its unique digital wallet runs on a highly secure biometric card. It enables secure access and keeps cryptographic keys away from easily compromised devices. Companies can issue users unique authenticators for digital identification, authentication, and authorization. Multi-Pass can remotely identify and authenticate users with NFC passwordless login. In addition, it’s capable of global interaction with third-party organizations. You can learn more about Multi-Pass and how it can address the challenges and vulnerabilities associated with password-centered authentication.

A business can adopt a passwordless, biometric-based solution where employees tap a button, swipe a card, or look at a camera and are off to work, all while keeping bad actors at bay. Moving to a passwordless system is a decision any organization of any size can make today. Finally, those who have been innovating in the space for years are ready to have a conversation about what that looks like. 

Conclusion

Spear phishing is one of the most sophisticated and dangerous cyber attacks hackers use. They are convincing, personalized, and unsuspecting. In addition, spear phishing attacks are costly financially and can damage a company’s brand and reputation. 

By eliminating the use and reliance on passwords, businesses stand to remove the primary vulnerability in handling critical information and avoid the potential loss of revenue and damage to their reputation.

If you want to discuss further how Kelvin Zero can help protect your business and sensitive information from spear phishing attacks, contact us here.