Spear phishing is a type of phishing attack that targets a specific organization or individual. Spear phishing is an email spoofing attack that aims to infect the victim with malware or trick them into revealing sensitive data and sensitive information.
Spear phishers look for target who could result in financial gain or exposure of trade secrets for corporate espionage, personally identifiable information (PII) for identity theft and protected health information (PHI) for insurance fraud.
Like regular phishing emails, spear phishing campaigns masquerade as a trusted source. Unlike generic phishing emails, spear phishing is a targeted attack and won't generally come from a well-known company or popular website like Microsoft, Google or LinkedIn.
Spear phishing attempts masquerade as colleagues or an executive at your organization. Without proper education, spear phishing campaigns can be damaging, which is why it is important to educate employees to double-check suspicious emails that request confidential information.
How Does Spear Phishing Work?
Spear phishing is a relatively unsophisticated cyber attack when compared to a more technology-powered attack like the WannaCry ransomware cryptoworm.
However, the quantity and quality of phishing emails have dramatically improved over the last decade and it's becoming increasingly difficult to detect spear phishing emails without prior knowledge.
This is because cybercriminals target individuals who expose personal information on the Internet of have high profile jobs.
By exploiting poor OPSEC practices, they gather information from social media, news and data breaches to understand the target's personal and professional relationships and personal details.
After the reconnaissance process, spear phishers craft personalized messages that look and feel authentic, delivered from what looks like a trusted individual.
The hope is that the high level of personalization increases the success of the spear phishing email.
The goal of a spear phishing email could be a direct reply, engaging with a malicious link, downloading an attachment that exploits a zero-day vulnerability and installs a type of malware, or to expose passwords, social security numbers or credit cards.
Why is Spear Phishing Effective?
The effectiveness of spear phishing comes down to psychology and technology.
Humans have an innate desire to trust friends and colleagues which helps with social cohesion. Spear phishers use social engineering to exploit our desire to help those we know and trust.
Pair this with the fact that spear phishing emails are becoming increasingly hard to detect because they often look like normal business emails, e.g. a link to collaborate in Google Drive file. Additionally, phishing protection software can often miss these types of attacks because they don't want to block genuine emails and frustrate users.
This is known as business email compromise or BEC.
Some spear phishers will pose as legitimate businesses to gather information on specific individuals and slowly ramp up the scam to build up the reputation of the IP address and domain to avoid email security software.
In short, the success of a spear phishing campaign relies on:
- The apparent sender being a known and trusted individual
- The information in the phishing email appearing valid
- The request being made appearing logical
If an attack meets these there criteria, the success rate can be high. That said, with training even the most sophisticated attacks can be recognized.
What are the Characteristics of Spear Phishing Attacks?
The common characteristics of spear phishing emails are not unlike traditional phishing scams:
- The email uses email spoofing to masquerade as a trusted person or domain. On closer inspection, it may be revealed that there is a typographical error or one character has been replaced with another it closely resembles (e.g. capital i "I" vs lowercase L "l").
- Social engineering is employed to create a sense of urgency to exploit the victim's desire to be helpful to a friend or colleague. It may also be used to explain why the request wasn't made through a normal channel.
- Poor grammar, typographical error or different language to the faked sender's usual language, e.g. the tone is too informal, too formal or uses incorrect jargon.
- SPF and DMARC settings don't match the domain name being spoofed.
What is the Difference Between Phishing and Spear Phishing?
Phishing and spear phishing scams have similar goals. The difference is that spear phishing is highly targeted while phishing relies on the law of large numbers, sending thousands of emails hoping a few will fall victim.
Spear phishers target individuals with emails intended for solely the victim or organization. By limiting their scope, it's easier to scammers to include personal information like first name and job title, increasing the chance the victim sees the email as legitimate.
Read our guide on phishing for more information.
What is the Difference Between Spear Phishing and Whaling?
Whaling is a form of spear phishing targeting high-profile individuals like public company executives, politicians or celebrities. These spear phishing messages target the individual and their role in the organization.
For example, whaling attacks often come in the form of a fake request from the CEO asking the HR department to change their existing payroll details to those set up by the phisher.
Board members are also targets for whaling because they have a great deal of authority but aren't full-time employees. They often use personal email addresses that may have poorer protection than corporate email accounts.
Read our guide on whaling attacks for more information.
What Tools Help With Spear Phishing?
Like phishing, spear phishing doesn't require any specific tooling and can even be done with a free email address. A free gmail that matches the CFO's name can be enough to convince accounts to pay an invoice.
More sophisticated attacks can employ typosquatting, domain hijacking or exploit a lack of DNSSEC to increase the success rate of their emails.
There are also phishing kits available on the dark web that make it easy to pose as legitimate websites that the victim may use on a daily basis, especially if their company relies on popular SaaS tools.
Some phishing kits even have automatic personalization and will scrape social media accounts for information on behalf of the phisher.
How to Prevent Spear Phishing
The bad news is that the more successful your organization becomes, the more likely you will be the target of sophisticated spear phishing campaigns.
Your organization's information security policy and information risk management program needs to employ defense in depth, using both technical and human controls to mitigate the cybersecurity risk of spear phishing.
Along with standard security threat protection like CVE-compatible vulnerability scanning , antivirus software, antimalware software, spam filters and SSL certificates, organizations should use phishing simulation tests, security awareness training and give staff a way to report suspicious email to the IT security team.
A good process-based control to reduce the risk of unauthorized wire transfers is to make it impossible to pay an invoice without multiple people signing off on the payment. This greatly reduces the risk a vendor or colleague can be impersonated successfully.
Your employees can avoid falling victim to spear phishing attacks by:
- Limiting the amount of personal information they share on social media and other public websites.
- Avoiding clicking links in emails and if necessary, check whether the text shown matches the link's anchor text and stated destination.
- Contact the sender of the email by phone or in person to confirm the request.
- Using two-factor or biometric authentication alongside strong passwords.
- Using logic when interacting with suspicious emails, e.g. an email from a colleague asking for payment of an overdue invoice when they've never asked you before is probably not legitimate.
Vendor risk management is an often overlooked part of preventing spear phishing attacks. It doesn't matter how good your internal information security and data security is, if a third-party vendor falls for a spear phishing campaign, they could expose sensitive data.
Ask your vendors for their SOC 2 report, develop a third-party risk management framework and automate vendor risk management.
Cybercriminals understand that vendors are a possible attack vector and you should to.
Third-party risk and fourth-party risk must be mitigated, organizations who fall to do so are exposed to real cyber threats.
What are Examples of Spear Phishing?
The following example illustrates a spear phishing attack's progression:
- The spear phisher gathers information about you from your social media accounts to better understand who your colleagues could be
- The attacker identifies that your boss could be Joe
- You received a spoof email that is sent from what claims Joe's email address email@example.com
- The email claims that Joe needs an AWS invoice paid quickly and has a link to what appears to be https://aws.amazon.com
- After clicking the link, you are directed to a login page on https://awsamazon.com, a fake website that is identical to the https://aws.amazon.com login page.
- You log in and expose your corporate AWS credentials to the spear phisher.