What Are Spear Phishing Attacks?
Spear phishing attacks are a customized version of phishing attacks, tailored to a specific individual.
Instead of the templated and high-volume approach used in phishing attacks, hackers launching spear phishing campaigns are more calculated when approaching their target. Attempts are hard to detect because of the level of personalization. In fact, spear phishing emails are used in 91% of successful data breaches, according to a 2021 report.
The key to spear phishing attacks is research, which helps scammers reproduce the familiar tone and confidential information in this targeted attack. Spear phishers do their research and find out as much as they can about the target’s personal information. They do this by analyzing the target’s social media and other online sources to find relevant information used to phish targets. These incredibly personalized messages can catch even experienced users off guard.
Hackers launching spear phishing attacks rarely use malware. Instead, they opt for malware-free approaches and slowly lower your guard through social engineering techniques. The goal of a spear phishing attack might be to steal sensitive data, account credentials, credit card information, or money.
3 Common Spear Phishing Techniques and Examples
Spear phishing attempts can be tricky to detect, especially if you haven’t experienced it firsthand. But by understanding the common techniques we describe below, you will be more alert to future attempts. Here are some techniques and examples used by cybercriminals:
1. CEO fraud
CEO fraud, sometimes called Business Email Compromise (BEC), is a form of spear phishing where the attacker impersonates a senior executive to perform a personalized phishing attack. The target of these attacks might be a junior employee working for the company, fellow executives, or vendors.
Like other phishing attacks, CEO fraud uses social engineering techniques to gain victims’ sensitive information, account access, or money.
This method of attack is effective because it impersonates a person of power. Let’s say that an unassuming employee got an email from their CEO that asks them to urgently rewire payment information for a vendor. The employee might want to please the CEO and rush into the trap.
A recent example of BEC is the email scam the Government of Puerto Rico experienced in early 2020. The scammer tricked the government into changing the bank account for remittance payments, and they lost $2.6 million to the scam.
In a CEO fraud attack, some of the objectives of attackers might be to infect a company’s network, get access to their internal systems, or mislead employees to wire money to a wrong account, as is the case with Puerto Rico.
Whaling refers to spear-phishing attacks where attackers target senior executives or people in an influential position. This may include C-level senior executives, politicians, or celebrities.
The method isn’t much different from other spear phishing attacks. They depend on the fact that the CEO of a company is human and can still fall into social engineering traps, just like a regular employee would. Senior executives have better access to the company data than standard employees, which is why they should have preventive measures installed and be especially careful when looking through their inboxes. An example of whaling attacks would be when Mattel almost lost $3 million to a scammer. The scammer impersonated the CEO to ask the finance director to send a wire transfer to a Chinese bank account. At the time, the newly appointed CEO had been planning massive growth in China, which is why the request seemed natural.
3. Clone phishing
Like the name suggests, hackers in clone phishing attacks use clones to launch their attacks. Hackers imitate the messages they’ve seen from legitimate sources and impersonate a certain organization to trick victims. (This is why it is of utmost importance to protect your organization’s domain with DMARC services.)
Messages duplicated in clone phishing attacks are usually regular messages sent by the organizations they’re impersonating, such as a sales promotion, a notification, or an email asking to update your account information. Often, this message will include a malicious link leading to a cloned webpage, usually a login page, that the attacker has created. Cloned websites usually have an address that’s nearly identical to the legitimate address. What sets it apart is a typo, swapping letters, adding a dash, or other minor differences. The fake website’s design and logo, text and emails, and user experience will also be identical to the legitimate website. Hackers go to such lengths to fool unsuspecting victims into entering their login credentials, social security numbers, or other sensitive data into the malicious website so they can capture it.
Spear Phishing Prevention: Best Practices
Although spear phishing is much harder to detect than mass phishing attacks, there are still ways to protect yourself against spear phishing. Here are some tips to help you protect your inbox:
1. Don’t open suspicious emails, links, or attachments
This might seem like a no-brainer, but when you’re scrolling your inbox, it’s easy to forget that you need to be careful. If you discover a suspicious email, don’t interact with any links or attachments within that email. Also be sure to refer to your company’s cybersecurity policy to determine what steps you should take next. If you don’t have one, you can always move the email to spam or simply delete the message.
2. Use two-factor authentication
Adding two-factor authentication adds another layer of security to your accounts. Even if an attacker managed to slip past your strong password, they wouldn’t have access to your account unless they prove they’re an authorized user.
3. Train your employees
Spear phishing attacks often rely heavily on social engineering. Security awareness training is essential to ensure that you and your employees can identify something suspicious is going on—even when you’re hit with a hyper-personalized attack.
Educate your employees on spear phishing, how to detect an attempt, and what to do if they find a suspicious email in their inbox.
Besides interactive training, phishing simulations help your employees be more vigilant when checking their inbox.
4. Create strong passwords
Having a strong password is a must if you’ve been anywhere online. Unfortunately, weak passwords like “123456” or “password” are still surprisingly common. In fact, these two exact words rank number 1 and 5 respectively on Nordpass’s list of most common passwords, published in February 2020.To create a strong password, Harvard recommends that you mix uppercase and lowercase letters, add numbers and symbols, and make the password more than ten characters long. Better yet, make it a phrase or use a password generator so no one would be able to guess your password.
5. Keep all software up to date
Software updates often include fixes to known vulnerabilities, which attackers can easily exploit. Unfortunately, software updates are time-consuming and sometimes seen as something you can postpone until eventually, you forget about them.
An example of a major attack that took advantage of a known security vulnerability is the WannaCry ransomware attack in 2017.
Interestingly, the vulnerability exploited in this incident was fixed in the Microsoft software update from earlier in 2017. However, affected organizations hadn’t updated their software yet, which is how the ransomware managed to slip through.
Why DMARC is the Best Spear Phishing Prevention Method
Spear phishing often uses spoofed email addresses to make the message appear legitimate. Implementing a DMARC policy on your email accounts will prevent cybercriminals from spoofing your domain name and involving you in spear-phishing scams.
A DMARC policy will tell receiving servers how to respond if an email seemingly sent from your domain fails the authentication process. It will also give you better visibility over who’s using your domain, improve your deliverability, and monitor wrongful uses of your domain name.
To work properly, DMARC policies require you to correctly configure SPF, DKIM, and DMARC records for your domain. Whether this is your first time or you want to make the whole process easier, consider going with a DMARC-as-a-service platform like Valimail to set up and enforce your DMARC policy.
Mitigate Spear Phishing with Robust Email Security
Spear phishing campaigns are so much harder to detect than your standard, templated phishing campaigns. However, just know that there are precautions you can take to survive these attempts, such as giving your employee security awareness training and upgrading your email security software.
At the same time, the attackers are also getting more and more sophisticated. You’ll need to stay on top of recent cybersecurity news to protect your company from scammers. Whether you’re a small business or working on a security team at a big corporation, you’ll need to look into options to upgrade your security as soon as possible.
Setting up your DMARC policy is one of the best ways to prevent your company from being used in spear phishing attacks. However, setting up a DMARC policy on your own and maintaining it can be overwhelming, especially if you have hundreds of other things you need to check. Get better visibility into your email deliverability and who’s using your channels without the hassle or expense of hiring a contractor to configure your DMARC. Protect your company from being involved in spear-phishing campaigns and get a demo with Valimail today.