What is spear phishing?
Phishing is a standard cyber security attack that most of us are familiar with, but did you know the threat comes in different forms? This article will look at a spear phishing attempt, email security and how you can be ready for it.
Spear phishing is a specific type of cyber attack by cybercriminals to obtain sensitive information like financial data or account credentials from a targeted victim, usually with malicious intent.
It is a targeted attack accomplished by the spear phisher learning personal information about the target individual, such as their friends, employers, or things they have recently bought online. The attacker pretends to be one of those trusted entities to acquire sensitive information via email. It is notorious as the most successful method of identity theft stealing sensitive information online.
It may sound like something you would see-through, but spear phishing emails and certain elements of a phishing campaign, have become very sophisticated recently. Many people put personal information on the internet via social media profiles, enabling a cyber criminals to learn a person's email address, close friends, location and information about new purchases. Information obtained by the spear phishing security attack is enough for an attacker to act as a familiar entity to send a convincing email to their target.
These messages often include a sense of urgency as to why sensitive information is required. They may direct the victim to click on a link or open a malicious attachment, either of which could expose them to the risk of divulging sensitive data or inviting malware onto their system. Whatever purpose the disguised attacker says they want the sensitive information for, the reality is that they will use it to learn things like bank account numbers. Anything to make a monetary gain at the expense of the victim.
What is an example of spear phishing?
Let's look at a couple of examples of different types of spear phishing attack that bypass user security:
1. The phishing attacker poses as the target's employer to encourage the victim to sign the 'updated employee handbook' via a malicious link. In the message, there are phrases like "we must all check and sign an acknowledgement of the updated handbook as soon as we see this email", and there is a link that takes the target to an online Word document.
The target of the phishing attempt is prompted to click another malicious link within this document, taking them to a fake login page. The scammer's goal is to trick the target into typing in their login credentials so that the attacker can bypass security and access their real account.
This example uses social engineering to motivate the recipient to act without thinking about it.
2. The attacker's spoofed emails claim to verify some flagged account activity on a popular web hosting platform that the recipient uses. The web hosting company name appears in the display name and is written several times in the message even the logo is there. The target is directed to click on a link to verify the account activity and enter their login details on a scam page.
This spear phishing attack is a hazardous online security threat because if the spear phishing attack gains access to the victim's web hosting account, they could control the victim's entire website. The message is well disguised, with no spelling or grammatical mistakes in the content.
In both examples above, the attacker has learned information about the victim to target them with a specific attempt to gain their login credentials. The phishing email content is customised to be as convincing as possible to the recipient and uses special techniques to motivate them to act on the scam. The only thing that gives them away is the sender's email address, but there is no guarantee the victim will check this.
What is the difference between phishing and spear phishing?
Spear phishing attacks and phishing attacks are easily confused because they use similar techniques to acquire confidential information or deliver malware. However, phishing is a broader term for any attempt to attack recipients in this way, while spear-phishing uses personalised security attacks to target specific victims.
Phishing attacks typically rely on a numbers game - send a generic email to as many recipients as possible, and some of them will fall for it. Spear phishing goes to more extraordinary lengths to target individuals to have a higher success rate. Spear phishing emails, therefore, tend to look a lot more convincing.
What are spear phishing attacks?
Spear phishing attacks are, therefore, attempts to trick the recipient into divulging sensitive information or downloading malware by posing as a trusted friend or entity. They exploit the fact that people give away a lot of information about themselves online through social media profiles. Attackers learn as much as they can from an individual's social media to appear legitimate when executing the attack.
People can protect themselves against spear phishing attackers in several ways. General security awareness training is vital in today's modern workplace. First, don't reveal too much confidential information about yourself on social media. Second, if you receive suspicious emails asking you to divulge sensitive information, verify the legitimacy of the emails first. Check the sender's email address or contact the person who is supposed to have sent the email directly.
Email protection software can also help by diverting the scam fake emails away from your inbox or scanning links and attachments for any suspicious signs of a malicious link. It's essential to be aware of the threat of spear phishing and to protect yourself against a phishing attempt however you can.