The threat landscape continues to expand with an expediential rise in pandemic-related phishing campaigns targeting companies, governments, and individuals. The Federal Bureau of Investigation (FBI) recently issued a notification warning of an ongoing phishing campaign attempting to steal corporate accounts and credentials for network access and privilege escalation from U.S. and international-based employees. With the remote workspace as the new norm, there has been an increased use of corporate VPNs and elimination of in-person verification – allowing cybercriminals to gain access to employee tools at multiple companies with indiscriminate targeting.
While there are many different forms of phishing attacks, spear phishing is the most tried and true phishing method. In this piece, we’ll dive into what spear phishing is and how security teams can effectively tackle this very targeted method of digital attack, especially now that hackers are picking up their pace.
Spear Phishing vs. Phishing
Spear phishing is a method of attack that involves targeting specific users with tailored phishing content under the guise of a known contact. What makes spear-phishing different from traditional phishing attacks is the targeting. Phishing campaigns tend to be broad in scale, with multiple targets offering more opportunities for security teams to identify the attack.
While the goal of a spear-phishing attack is similar to any phishing attack - to gain access to internal networks, steal credentials or information, and/or infect devices with malware - what makes it so effective is the reliance on human error, psychology and specificity. Attackers conduct in-depth research into targets to choose the perfect sender to spoof, message to send and associated call to action. Relying on a combination of platforms from email, social media, domains and more, spear-phishing attacks are complex and effective, making them difficult to identify and thwart. The attacker’s goal is to create a believable depiction of the organization or its top leaders to fool its customers and even its employees into believing they are engaging with the legitimate sender.
While spear phishing can occur through email, social media or other means, one common example that has risen dramatically in recent years is business email compromise (BEC) attacks. Business email compromise involves the impersonation of a high-profile figure, such as an executive at the company. Attackers will leverage a CEO’s name to create a look-alike email address and send employees spear-phishing emails with requests for wire transfer, sensitive data, or click on a link. At the individual scale, IT teams are much more reliant on the user to recognize the attack. The increased sophistication of these attacks, through methods such as business email compromise, make spear phishing even harder to detect with traditional tools.
Financial Costs of Spear Phishing
Most scammers’ ultimate goal is to siphon revenue from the targeted organization through gift card scams or direct bank transfers. Organizations whose employees frequently deal with transferring funds, such as financial services, should be especially careful of spear-phishing attacks as they are prime targets. While most gift card-related attacks reported by the APWG Phishing Activity Trends Report were in the $1,000 range, wire transfer requests remain much higher, with an average request of $48,000 in Q3 2020. For small to midsize companies, a single email-based attack could have lasting financial costs on the organization.
How to Defend Against Spear Phishing Attacks
All security teams should be concerned with spear-phishing due to its effectiveness in reaching critical targets within the organization. With thousands of emails and social media messages sent each day, it can be difficult to identify spear-phishing attacks at scale, but a single attack can have lasting damage on an organization if sensitive information or significant funds are stolen.
Because attackers rely on a combination of platforms for reconnaissance, attack planning and execution, it’s critical for security teams to have visibility across external platforms. Understanding your organization and its high-profile employees’ social media presence is critical since attackers often leverage public information on social media to build convincing profiles to conduct attacks. Multi-channel spear phishing can also include creating impersonating accounts on social media as another means of reaching target audiences. Quickly identifying and removing any sensitive information that is shared publicly on social media or elsewhere on the web, including personal information, travel plans, credentials and more, is critical to stop the spread of a spear-phishing campaign.
As spear-phishing campaigns become more sophisticated, traditional email security methods such as blocking and deleting phishing emails will be insufficient and more sophisticated anti-phishing software will be necessary. Rather than addressing phishing attacks at the individual email level, working with domain registrars and hosts to dismantle the infrastructure behind those email addresses not only stops the specific attack but prevents future attacks from leveraging that same domain.