Have you ever received an email that you recognized as a scam, but it contained a lot of real details about you, your company or the purported sender? If so, you may have been the target of a spear phishing attack.
A typical phishing email is designed to look like it was sent from a legitimate company and attempts to trick users into clicking a link or providing personal information. For example, a fake Amazon email that asks users to enter their Amazon password to verify a large purchase. These messages are not personalized and can be blasted to many potential victims at once in the hopes that a few will take the bait.
A spear phishing attack is not mass emailed, but is more targeted towards a specific individual. Spear phishing emails contain specific personalized details to further the illusion that the email is from a trusted source. For example, a spear phishing email may name drop a high-level executive at the company to make the request seem more urgent -- “John [CEO] needs this wire transfer to be sent before 2 PM today.” In some cases, the cybercriminals may take it a step further and even impersonate the executive.
To create a convincing spear phishing email, cybercriminals have to lay the groundwork ahead of time.
First, they identify a target based on what they are trying to achieve. For example, if they are after a big payout from a company, they may check the company’s About Us page to find out who does the Accounts Payable. If they want to access a network, they may check LinkedIn to target someone in the company’s IT department.
Once a target has been identified, they will conduct further research to glean the details they need to make an email seem believable. They may get this information from the target’s social media profiles, the company’s website, or public records. These sources can reveal the target’s geographic location, contact info, friends, interests, recent purchases, favorite hangouts. In some cases, the cybercriminal may already have access to the target’s mailbox from a previous breach. From there, they can lay low and snoop for months to collect info on whom the target communicates with and how.
When ready to strike, the cybercriminal will then use these tidbits of gathered information to craft an authentic looking email. If the target is not vigilant, they may be fooled by the familiar details and do whatever the cybercriminal asks them to, whether that is providing their sensitive information, opening an infected file, or sending funds to a fraudulent account.
Here is an example of an actual spear phishing email that one of our clients received. While the company and individuals’ names have been altered for privacy, the method of attack and the language of the emails is unchanged.
The cybercriminals clearly did their homework. They knew exactly whom to target. They knew the names of the decision makers to impersonate to try to spur the target into action. They obtained a domain name with two letters transposed, which at first glance could easily be missed by anyone who wasn’t paying attention. This could have been a very costly mistake for the company if “Victoria” had not been trained to look for red flags.
The email security firm GreatHorn conducted a survey of 270 IT security professionals and the results showed not only that spear phishing happens often, but it’s on the rise. 69% of those surveyed reported that spear phishing was a common sighting in their organizations. This made spear phishing one of the most commonly seen types of business email compromise attack, second only to email or website spoofing.
A majority (65%) of those surveyed said that they had experienced a spear phishing attack in 2021 (the survey was conducted in May 2021). Over half (51%) said that they saw an increase in spear phishing over the last 12 months. 18% said that they received a spear phishing attack on a daily basis, while 39% said they happened weekly.
The survey also showed what types of information the cybercriminals like to use in a spear phishing attack. Most attacks name dropped a company or individual the target was familiar with; 53% used a boss or manager’s name. Cybercriminals also made reference to customer/client names (49%), departments (34%), vendors (32%), software (21%) and locations (21%). All of these details sprinkled throughout an email help create an illusion that a spear phishing message is legitimate.
Not surprisingly, the survey showed that the department most targeted by spear phishing is Finance (57%). This makes sense, as the goal of many attacks is to get the target to send a payment to a fraudulent payee. Spear phishers also like to aim directly for the head and target the CEO of a company (22%). Rounding out the top 3 is I.T. (20%), which cybercriminals favor when they are trying to infiltrate a network. Other departments like HR, Sales, etc... also get attacked, but on a much smaller scale.
As you can see, cybercriminals go to great lengths to make their scams as believable as possible. However, there are ways to protect yourself.
AllSafe IT’s comprehensive cybersecurity services are designed to identify, assess, and manage cybersecurity risks. We have aligned with the National Institute of Standards and Technology (NIST) framework for the design of our cybersecurity solutions.