What Is Spear Phishing?
By now, you must have heard about phishing.
This is an online scam where hackers send a malicious message to trick you into handing over valuable personal information … but have you heard about spear phishing?
In a nutshell, spear phishing is a hyper-targeted form of phishing where specific people receive manipulative messages. The cybercriminals aim to get a hold of private data or trick recipients into doing something, like transferring money. Usually, the intended targets of spear phishing are executives whose info is worth a lot of money.
Spear phishing example
To have a clearer understanding of what spear phishing is, let’s take a look at several examples...
A type of spear phishing targets company employees by impersonating Chief Executive Officers (CEOs). These fraudulent messages, typically in the form of emails, instruct the staff of Human Resources (HR) or Finance departments to reveal sensitive company information or transfer money.
The cybercriminals pretend to be the CEO because of the authority they hold. (No one usually questions their decisions, right?) And the way they trick people is by using the name of CEO with a slightly altered email address. They also try to fool targeted employees by using a reply-to address different from the senders.
AI spear phishing
AI or artificial intelligence can be helpful in a lot of ways, but sometimes, it can also be trained to carry out evil deeds. In the case of AI spear phishing, hackers use AI to crawl the internet to find useful information about someone they want to impersonate. It can be a senior member of a company or online influencer.
The AI then studies this person’s social media pages, professional and social messages, etc. to mimic their language, communication style and tone of voice.
With AI-powered spear phishing, cybercriminals can then instruct a computer to craft and send emails to targets at speeds human attackers cannot.
How to identify spear phishing
So, what does a spear phishing attack look like? Is there a way to determine if you’re being baited for a spear phishing attack?
The most common way these “phishers” contact a potential victim is by using email. Now, let’s try to differentiate a legitimate message from a spear phishing email.
What is a spear phishing email?
How does a spear phishing email look like? The scary thing is these hackers can imitate the communication style of whoever they are impersonating. But don’t worry too much. There are still ways to tell a spear phishing email from a legit one:
- The name of the sender is incorrect. Check the name of the sender very carefully because hackers may have made a simple spelling mistake.
- The sender’s email address is slightly different. The hackers may simply alter one symbol for another or use something very similar to the actual email address. For example, using 1 for the letter l.
- They ask for very sensitive information. The email may be asking for company details such as financial records or corporate credit card numbers.
- The email contains suspicious attachments. These can be fake invoices or misleading bank statements.
- Your email provider flashes a warning on the email itself. Certain email providers like Gmail usually notify you when an attachment may be harmful or the message is suspicious. Always err on the side of caution as it may be a spear phishing attempt.
Phishing versus spear phishing
Though they both use the same methods to attack victims, phishing and spear phishing are still different. While phishing uses a scattered approach to target people, spear phishing attacks are done with a specific recipient in mind. Because of this, it usually takes longer for hackers to execute spear phishing attacks as they need to research their potential victims.
Spear phishing and whaling
If there is spear phishing, did you know there is another term related to it called whaling? We kid you not! And as the imagery suggests, whaling is a type of spear phishing that targets highly valuable individuals and organisations. “Whales” are usually high-ranking victims within a well-known, lucrative company.
When they fall victim to the criminal’s whaling attack, the information they receive is worth more than a random target’s details.
So you can properly differentiate phishing vs. spear phishing vs. whaling attacks. Here’s an example: in a phishing attack, a hacker may send a message asking for a bank transfer. They will send it to anyone whose email they found while scanning internet forums or social media. In a phishing attack, they will craft a more professional message, asking for a bank transfer from employees of a certain company. In a whaling attack, they may target the company’s CEO or directors. Basically, the higher you go up the professional ladder, the bigger the bounty.
How spear phishing works
So, how does spear phishing work? Maybe if we know how hackers execute their plans, we’ll be more prepared to prevent spear phishing or whaling attacks from being successful.
- Gathering email addresses. Phishers will first try to collect email addresses they want to use for phishing. They can either find these from publicly available information online or they can also try to use other techniques like accessing private databases.
- Detecting antivirus software. Hackers will try to figure out the antivirus used by the company targeted. When they finally know what it is, they will then find a way to send phishing emails capable of evading this software.
- Exit information filtering. When the phishing victim replies to the criminal’s message, a company’s security infrastructure may still prevent the message from sending. The cybercriminals will try to figure out a way to receive it using an encryption software or specialized tunnel-like pathways for messages to go through.
- Social engineering. The hackers will try to study the people they want to impersonate by researching their online writing styles and profiles.
- Receiving the phished data. Once the phishing message has been sent, the criminals will then “harvest” the data. Sometimes, they can even install malicious software onto the victim’s device to facilitate further spying to inform future attacks.
Spear phishing prevention
By now, you may feel lucky you’re not a high-ranking official of a reputable company. There’s no way you’d be attacked (lucky you didn’t get that big promotion, huh?) Do you know why spear phishing awareness still matters? It’s very simple. Phishers are becoming increasingly sophisticated with their techniques, meaning no one is safe.
You may not be considered as a highly valuable target now but you may be in the future! Or you may be connected to a “whale” which also makes you vulnerable. Now, how do we prevent phishing attacks?
Tips to avoid a spear-phishing attack
Here are some pointers on preventing spear phishing attacks:
- Don’t post your official email address on public websites. Better yet, don’t overshare your personal details on social media.
- Carefully look at any emails you receive before responding.
- Trust your instinct if it tells you something is wrong. If you need to contact the person who sent you the email, reach out to them using other means like calling or texting.
- Heed the advice of your email provider, especially if they’re telling you an attachment is suspicious. Do not click on them or open attached files.
- Attend cybersecurity training or workshops hosted by your company. If you don’t have these yet, go ahead and suggest it to your HR team!
- As a company, have a protocol if there is a data breach or if employees are victimized by phishing scams. You must map out different scenarios and crisis intervention strategies.
- Upgrade your cybersecurity software. In companies, the most important thing is having a robust, easy-to-understand cybersecurity system. Oftentimes, employees tend not to bother with antivirus or other IT stuff because it’s too technical. So make sure your company’s cybersecurity app is jargon-free so anyone can understand it — from your rank and file employees to the CEOs! And isn’t it a good thing Clario is exactly this type of IT security software?