Spear Phishing: Targeted Deception in the Digital Age
Phishing is a form of social engineering threat in which the phisher uses deception, coercion, and psychological manipulation to get users to do what the attacker wants. In general, this includes clicking on a link to a malicious site, installing malware on their computer, or sending money to an attacker.
Spear phishing is a very targeted form of phishing in which the attacker tailors the pretext used in the attack to an individual or small group. This targeted approach increases the attack’s probability of success and is commonly used in attacks against a particular organization.
This article explores the spear phishing threat, including common techniques, mitigation best practices, and the threat that spear phishing poses to various organizations and individuals.
What is Spear Phishing?
Spear phishing attacks are targeted social engineering attacks. Instead of using a pretext that could apply to a range of people – and is more identifiable as a phishing attempt – spear phishing uses a pretext personalized to an individual.
For example, consider the case where an attacker wants to gain access to an organization’s financial information. An attacker might research the company and identify an individual within the company’s financial department that handles invoices from suppliers. The attacker could then craft a spear phishing email claiming to be an invoice from a vendor that actually includes an attachment that is infected with malware.
Spear Phishing vs Phishing
Spear phishing is a form of phishing attack. The primary difference between them is the level of personalization applied to the pretext used in the attack.
Most general phishing attacks use a pretext that could apply to a wide range of potential victims. For example, they may claim that an issue exists with a user’s account at a major bank or a service provider such as Netflix or Amazon. These types of phishing messages can be spammed to many targets. They often have a low probability of success, but the scale of the attack means that the attacker will have some level of success.
A spear phishing attack, on the other hand, is only intended for a small group of potential targets and is personalized to them. This type of attack requires more research and is focused on quality over quantity. Since the pretext is more believable, these attacks have a higher rate of success, which compensates for the greater difficulty of performing them and the smaller population of potential targets.
Anatomy of a Spear Phishing Attack
Spear phishing campaigns are commonly multi-stage operations. The three main steps are reconnaissance, preparation, and exploitation. Let’s dive into these steps and break down each of them.
Reconnaissance
Every spear phishing attack begins with reconnaissance and information gathering. The attacker needs to identify personal details that can be used to make their attacks more plausible and convincing to an attacker.
Phishers can use various sources of information to personalize their attacks. For example, social media and corporate websites are common targets and are often rich sources of information about a person’s role in a company, potential projects, or their personal life. Cybercriminals will mine these and similar public resources for information to use in their attack.
Preparation
Once an attacker has collected enough personal details, they craft their spear phishing email or other message. These are designed to induce the recipient to perform some action and often attempt to create a sense of urgency in the target by claiming that something has gone wrong or needs to be done immediately..
The method that an attacker uses to do this might depend on the goal of the attack. For example, if an attacker is trying to install malware on a target’s computer, they may send an email with an infected attachment. In this case, the pretext could be that the document is an unpaid invoice, CV for an aspiring employee, or other file that the recipient is likely to open.
On the other hand, if the attacker wants to steal login credentials, the attacker may pretend that something is wrong with one of the employee’s online accounts. These emails could pretend to come from a Software as a Service (SaaS) provider, website, or the company IT team. The goal in this case would be for the user to click a link and enter their credentials into the attacker’s site.
Exploitation
Once the attacker has crafted their phishing email, it’s time to execute the attack. Typically, this is as simple as sending the email and waiting for the user to log into the malicious page or for the malware to call back.
However, with a spear phishing attack, the attacker may perform a multi-stage attack. For example, the first email may be designed to build rapport and the pretext, followed by a second email containing the malicious content.
Examples of Spear Phishing Attacks
Phishing is involved in 91% of cyberattacks, and 32% of data breaches begin with a successful phishing campaign. Many of these successes are spear phishing attacks, which are more effective because they use a pretext that is tailored to the intended target.
One expensive example of a spear phishing attack is a multi-year campaign led by Evaldas Rimasauskas of Lithuania. The attackers set up a fake company and targeted Google and Facebook with fake invoice scams masquerading as one of the company’s real vendors. Between 2013 and 2015, the attackers tricked the companies into paying $100 million for services that the real vendor provided into the attacker’s accounts.
Why Targeted Attacks Like Spear Phishing Are Effective
Spear phishing differs from general phishing attacks because they are more targeted. The attacker uses various personal details to make the pretext more believable for the target.
Spear phishing attacks are highly effective because they seem plausible to the target. General mass-mail phishing attacks can be obvious because their pretexts are so broad that they could apply to anyone.
Spear phishing attacks, on the other hand, are so targeted that they might only apply to a single individual. This plays into the common belief that “no one would target me for a cyberattack because I have nothing worth stealing.”
Spear phishing attacks also use psychological manipulation to make their attacks more convincing and increase their rate of success. With an understanding of human behavior, an attacker can craft a pretext that makes the user want to click a link or perform some other action.
For example, consider the following example of a spear-phishing email.
Like many spear phishing attacks, this email is highly targeted to a particular person, including detailsthat make it look very realistic. It mentions the name of an employee who is attending a conference and probably announced that fact on social media. It also references a particular vendor that the companyuses.
The email also includes using a sense of urgency to get the user to act before they have the chance to really think about the request and whether it seems legitimate. In this case, an alleged issue with the company’s payments to the vendor is intended to get the recipient to send money to a new account controlled by the attacker.
Spear Phishing Prevention and Mitigation
The threat of spear phishing attacks can be mitigated in various ways. Some best practices for managing the spear phishing threat include:
- Employee Education: Spear phishing attacks are designed to trick the recipient into doing what the attacker wants. Training employees to recognize and report these attacks can reduce an organization’s risk and enable it to more effectively identify and respond to attack campaigns.
- Separation of Duties: The principle of separation of duties states that critical or high-risk processes — such as paying vendors — should require action or approval by multiple employees. This makes spear phishing attacks harder to pull off by requiring the attacker to trick multiple people.
- Strong Authentication:Spear phishing attacks are commonly designed to steal credentials that grant access to corporate systems. Implementing multi-factor authentication (MFA) — ideally with phishing-resistant factors — makes it more difficult for an attacker to use these stolen credentials.
- Security Solutions: Cybersecurity solutions can identify and block phishing threats at various stages in their lifecycles. For example, email scanners can identify and block phishing emails, while endpoint security solutions can detect and eradicate malware infections.
Spear Phishing’s Evolving Landscape
Spear phishing attacks are designed to use deception, coercion, and psychological manipulation to get the target to do the attacker’s bidding. The rise of generative AI and deepfake technology has a significant impact on the potential effectiveness of phishing attacks.
Often, phishing emails are detected by the target because they “sound wrong”. Errors in grammar and tone make a fake email stand out. With tools such as ChatGPT, spear phishers can develop much more polished emails that eliminate these errors. Additionally, generative AI can be used to refine the pretexts used in the email, enhancing grammar and wording to maximize the probability of success.
Another area where AI is helpful to phishers is deepfake technology. With deepfakes, attackers can generate convincing phone calls or videos that can be used to make spear phishing attacks seem more legitimate. For example, a spear phishing email may be followed up by a phone call by the attacker impersonating the CEO or another trusted party.
Conclusion
Spear phishing attacks can be highly effective and sophisticated cyber threats. These attacks are targeted at specific organizations or individuals, making their pretexts far more believable than general phishing attacks. The rise of generating AI and deepfakes has made these attacks more believable and effective.
Protecting against the spear phishing attack requires continuous vigilance and employee education to help overcome the deceptive tactics used by attackers. Organizations should also use email scanning solutions to block these attacks and mitigate their impacts.
One of these potential impacts is compromised user credentials, which is why passwordless solutions are becoming so important for organisations to adopt.
At Kelvin Zero, we are building trust solutions like Multi-Pass to help critical organisations do just that. Book a demo today to learn how Multi-Pass can help your organisation replace passwords with enterprise-grade, phishing resistant passwordless authentication