Spear phishing: definition and 6 prevention tips

by | July 29, 2021 | How to

Spear phishing is a targeted attempt to steal sensitive information from a specific victim, such as account credentials or financial information, for malicious reasons.

This is accomplished by obtaining personal information about the victim, such as their connections, birthplace, employer, frequented areas, and recent internet purchases.

Attackers then use email or other forms of online chat to impersonate a trustworthy friend or entity to obtain critical information. This is the most effective method of obtaining sensitive information on the internet, accounting for 91% of all attacks.

How does spear phishing work?

  • although spear-phishing may appear to be a simple act, spear-phishing emails have advanced in recent years and are now extremely difficult to detect without previous knowledge of spear-phishing security. Attackers who use spear phishing to target people who post personal information on the internet are known as spear phishers. While scanning a social networking site, they may look at individual profiles.
  • they’ll be able to locate a person’s email address, friends list, geographic location, and any recent posts on new devices by looking at their profile. With all of this information, the attacker may pose as a friend or a familiar entity and send their target a convincing but false message.
  • an email appears to be from a reliable source, but it directs the unknowing recipient to a fraudulent website containing malware. These emails frequently employ deceptive strategies to capture the attention of their recipients. The FBI, for example, has warned against spear phishing schemes posing as emails from the National Center for Missing and Exploited Children.
  • these communications frequently include urgent explanations as to why they require sensitive information in order to boost success rates. Victims are instructed to open a malicious attachment or click on a link to a faked website where they are prompted to submit passwords, account numbers, PINs, and access codes.
  • an attacker posing as a friend might ask for usernames and passwords for various websites, such as Facebook, in order to gain access to images that have been shared. In reality, the attackers will use that password, or variations of it, to get access to several websites containing sensitive data such as credit card numbers and Social Security numbers.
  • criminals can access bank accounts or even create a new identity using their victim’s details if they have obtained enough sensitive information. When consumers click on links or open attachments offered in communications, spear-phishing can fool them into downloading malware or destructive code.

Difference between phishing and spear phishing

Regular phishing campaigns go after many generally low-yield targets, whereas spear-phishing goes after specific targets with uniquely designed emails.

Aaron Higbee, co-founder, and CTO of anti-phishing company Cofense (or previously known as PhishMe), says that:

“Phishing is just generic, low-tech, not targeted attacks. They don’t particularly care about who their target is. They’re just casting a wide net trying to snare as many people and as many companies as possible.”

Higbee also added that: “Spear phishing is a campaign that a threat actor purposefully built to penetrate one organization, and where they will really research names and roles within a company.”

Spear Phishing

Spear phishing attacks are more difficult than mass phishing operations, typically including using automated off-the-shelf kits to obtain credentials en masse using fake log-in pages for common banking or email services or spreading ransomware or crypto-mining malware.

Some targeted campaigns use documents carrying malware or links to credential-stealing sites to steal sensitive information or valuable intellectual property or compromise payment systems. Others skip malicious payloads instead of relying on social engineering to control processes resulting in a small number of significant rewards made through a single or series of bank transfers.

The “from” section of an email is frequently faked to make it appear as if it came from a known entity or from a domain that appears similar to yours or that of one of your trusted partners. For example, in the Russian alphabet, the letter “o” may be substituted with the number “0,” and the letter “w” could be replaced with “ш.”

Criminals had evolved their approaches from the days when spear-phishing campaigns attached harmful documents to emails as-is or in a zip file. Instead, many harmful documents are now stored on reputable sites like Box, Dropbox, OneDrive, or Google Drive, according to Higbee, because threat actors know these are unlikely to be stopped by IT:

“We’re also starting to see phishing attacks that are trying to compromise API tokens or session tokens to get access to an email box or to get access to a OneDrive or SharePoint site.”

“We’re also starting to see phishing attacks that are trying to compromise API tokens or session tokens to get access to an email box or to get access to a OneDrive or SharePoint site.”

Tips to avoid a spear-phishing attack

1. Keep an eye on the personal information you share on the internet:

  • Take a look at your social media profiles. What kind of personal information is accessible to potential attackers? If you don’t want a potential scammer to see something, don’t share it – or, at the absolute least, make sure your privacy settings are set to limit what others may view.

2. Use smart passwords:

  • Do not use the same password or a combination of passwords for all of your accounts. If you reuse passwords or password variations, an attacker can access all of your accounts if they know one of your passwords.
  • Every password you have should be unique; the most secure passwords contain random phrases, numbers, and letters.

3. Update your software on a regular basis:

  • If your software supplier informs you that a new update is available, install it immediately away. The majority of software systems come with security software upgrades that should protect you avoid frequent threats. Enable automatic software upgrades wherever possible.

4. Do not click links in emails:

  • If an organization, such as your bank, gives you a link, open your browser and go directly to the bank’s website instead of clicking on it.
  • Hovering your cursor over a link will also reveal its destination. There’s a good possibility the URL is malicious if it doesn’t match the link’s anchor text or the email’s specified destination.

5. Use logic when opening emails:

  • If you receive an email from a “friend” asking for personal information, such as your password, double-check to see if the sender’s email address is one you’ve seen before. You will not receive an email from a legitimate company asking for your account or password. Your best bet is to contact that “friend” or company through phone or check the company’s official website to determine whether they were the ones who contacted you.

6. Implement a data security program at your company:

  • Data loss due to spear-phishing attacks can be prevented with a data protection program that combines user education on data security best practices with adopting a data protection solution. Data loss protection software should be used to secure sensitive data in medium to larger businesses, even if a user falls for a phishing scam.

Final thoughts

Of course, in the end, the best method for preventing these cyberattacks is by training you and your employees about what to do when dealing with such attacks! That way, you ensure a new layer of security for your company, avoiding major attacks and data breaches!

Sources:

Attribution:

Feature Image: Photo by Cast & Spear on Unsplash

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.