What You Need to Know About Spear Phishing

Have you ever received an email that you recognized as a scam, but it contained a lot of real details about you, your company or the purported sender? If so, you may have been the target of a spear phishing attack.

Spear Phishing vs Phishing

A typical phishing email is designed to look like it was sent from a legitimate company and attempts to trick users into clicking a link or providing personal information. For example, a fake Amazon email that asks users to enter their Amazon password to verify a large purchase. These messages are not personalized and can be blasted to many potential victims at once in the hopes that a few will take the bait.

A spear phishing attack is not mass emailed, but is more targeted towards a specific individual. Spear phishing emails contain specific personalized details to further the illusion that the email is from a trusted source. For example, a spear phishing email may name drop a high-level executive at the company to make the request seem more urgent -- “John [CEO] needs this wire transfer to be sent before 2 PM today.” In some cases, the cybercriminals may take it a step further and even impersonate the executive.

How Does Spear Phishing Work?

To create a convincing spear phishing email, cybercriminals have to lay the groundwork ahead of time.

First, they identify a target based on what they are trying to achieve. For example, if they are after a big payout from a company, they may check the company’s About Us page to find out who does the Accounts Payable. If they want to access a network, they may check LinkedIn to target someone in the company’s IT department.

Once a target has been identified, they will conduct further research to glean the details they need to make an email seem believable. They may get this information from the target’s social media profiles, the company’s website, or public records. These sources can reveal the target’s geographic location, contact info, friends, interests, recent purchases, favorite hangouts. In some cases, the cybercriminal may already have access to the target’s mailbox from a previous breach. From there, they can lay low and snoop for months to collect info on whom the target communicates with and how.

When ready to strike, the cybercriminal will then use these tidbits of gathered information to craft an authentic looking email. If the target is not vigilant, they may be fooled by the familiar details and do whatever the cybercriminal asks them to, whether that is providing their sensitive information, opening an infected file, or sending funds to a fraudulent account.

What Does Spear Phishing Look Like?

Here is an example of an actual spear phishing email that one of our clients received. While the company and individuals’ names have been altered for privacy, the method of attack and the language of the emails is unchanged.

1. The target of the spear phishing attack was “Victoria,” who did Accounts Payable for the company.
2. The cybercriminals used the email domain “arizanorivers.com,” which closely resembled the company’s actual domain of “arizonarivers.com.”
3. The cybercriminals knew that “Jonathan” and “Mike” were the top executives at the company and used the fake domain name to create email addresses to impersonate them.
4. The cybercriminals knew the name of a project to reference.
5. The cybercriminals even re-created the company’s email signatures using their logo.

The cybercriminals clearly did their homework. They knew exactly whom to target. They knew the names of the decision makers to impersonate to try to spur the target into action. They obtained a domain name with two letters transposed, which at first glance could easily be missed by anyone who wasn’t paying attention. This could have been a very costly mistake for the company if “Victoria” had not been trained to look for red flags.

How Often Does Spear Phishing Happen?

The email security firm GreatHorn conducted a survey of 270 IT security professionals and the results showed not only that spear phishing happens often, but it’s on the rise. 69% of those surveyed reported that spear phishing was a common sighting in their organizations. This made spear phishing one of the most commonly seen types of business email compromise attack, second only to email or website spoofing.

A majority (65%) of those surveyed said that they had experienced a spear phishing attack in 2021 (the survey was conducted in May 2021). Over half (51%) said that they saw an increase in spear phishing over the last 12 months. 18% said that they received a spear phishing attack on a daily basis, while 39% said they happened weekly.

The survey also showed what types of information the cybercriminals like to use in a spear phishing attack. Most attacks name dropped a company or individual the target was familiar with; 53% used a boss or manager’s name. Cybercriminals also made reference to customer/client names (49%), departments (34%), vendors (32%), software (21%) and locations (21%). All of these details sprinkled throughout an email help create an illusion that a spear phishing message is legitimate.

Not surprisingly, the survey showed that the department most targeted by spear phishing is Finance (57%). This makes sense, as the goal of many attacks is to get the target to send a payment to a fraudulent payee. Spear phishers also like to aim directly for the head and target the CEO of a company (22%). Rounding out the top 3 is I.T. (20%), which cybercriminals favor when they are trying to infiltrate a network. Other departments like HR, Sales, etc... also get attacked, but on a much smaller scale.

How Can Spear Phishing Be Prevented?

As you can see, cybercriminals go to great lengths to make their scams as believable as possible. However, there are ways to protect yourself.

1. Start with multi-layered security like AllSafe IT’s Safe Total. Make sure you have defensive measures in place at all levels including computers, servers (including cloud servers), mobile devices, wireless access points, and firewalls. You wouldn’t lock your door but leave all your windows open, and the same goes for your technology.
2. Safeguard your details. The less cybercriminals can learn about the inner workings of your company, the less they can use against you. Use web forms on company websites instead of publishing email addresses. Advise your users not to overshare their personal details on social media.
3. Scan for compromised credentials. Have your IT provider set up dark web scanning so you can quickly neutralize any compromised accounts and prevent them from becoming an entry point.
4. Be suspicious of unusual or significant requests. Double check domain names, hover over links and look out for bad spelling and grammar. These are all signs that an email may not be legit.
5. Pick up the phone. If in doubt, pick up the phone and call the alleged sender to verify if they actually sent the request. Just make sure to use a phone number you trust and not a number listed in the email.
6. Train your users to recognize and avoid spear phishing attempts as well as other threats. A good security awareness training program will not only educate users, but also send simulated phishing attacks to test their knowledge.

AllSafe IT’s comprehensive cybersecurity services are designed to identify, assess, and manage cybersecurity risks. We have aligned with the National Institute of Standards and Technology (NIST) framework for the design of our cybersecurity solutions.

‍