Spear phishing is the act of transmitting and sending messages to particular and well-researched targets while pretending to be a trusted sender. The aim is to either infect malware devices or persuade victims to hand over data or money.
In 2019, 65 percent of US companies were victims of active phishing attacks, according to a recent survey. What is more, Verizon’s 2020 Data Breach Investigation Study found that 22 percent of data breaches involve phishing, more than any other range of threat actors.
A 2017 study found that spear phishing is rapidly laser-designated, with 77 percent of emails targeting ten or fewer mailboxes. What is more, the study found that only one mailbox was attacked by one-third of the attacks.
While standard phishing campaigns go after large numbers of relatively low-yield targets, spear phishing uses customized emails designed for its intended victim to hit specific targets. Phishing is just generic, low-tech, non targeted attacks of any kind. In fact, they do not care who their target is. They just spread a large net seeking to snare as many individuals and as many businesses as they can.
Spear phishing is a campaign that a threat actor has deliberately created with the intention of breaching one entity, where names and positions within a corporation are actually researched.
Spear phishing attacks are more complicated because mass phishing mainly involves using automated off-the-shelf kits to capture credentials en masse using faux log-in pages for popular banking or email services or spreading ransomware or crypto-mining malware.
Some targeted campaigns include documents containing malware to steal confidential information or valuable intellectual property or to simply compromise payment processes, or links to credential theft sites. Others avoid malicious payloads and use social engineering instead to hijack processes with a single or sequence of bank transfers for a small number of large payouts.
The “from” section of an email is frequently spoofed to make it appear like it is from a recognized individual or a domain that looks like yours or your trusted partners. For example, it is possible to substitute the letter ‘o’ with the number ‘0’ or to change the letter ‘w’ to ‘ш’ from the Russian alphabet.
While older spear phishing operations used to simply contain the malicious documents attached as they were or may be in a zip file in the email, criminals adapted to their techniques. Many malicious documents are now stored on legal websites such as Box, Dropbox, OneDrive, or Google Drive because it is impossible to block these threatening actors.
We are also beginning to see phishing attacks attempting to compromise API tokens or session tokens to gain access to an email box or to gain access to a website from OneDrive or SharePoint.
Spear phishing attempts have been used to swindle millions of dollars out of people and businesses. In other ways, they may also do harm, such as stealing confidential information from corporations or causing people emotional stress.
Some try to get you to click on a connection that could lead to a malware-downloading website (for example, ransomware), a false password-requesting website, or a website containing advertisements or trackers. You might be asked to include your social security number, hand over a credit card or banking information, or simply submit some money to other phishing attempts.
To build their email phishing scams, scammers will also take advantage of the present environment and recent events. The coronavirus pandemic, for instance, has triggered several programs centering on government benefits and employment prospects.
Scammers may pose as a business you trust, for example, a bank or a store you have shopped at, on a personal level. They may give great offers, tell you that you owe them money, or that you are about to freeze an account. They may also, directly or indirectly, claim to be a person you know. For example, posing as someone who went to your old school or as a member of your religious group could get you to open up.
Spear phishing is also a very popular method of assault on companies. Since it is so targeted, the most dangerous form of a phishing attack is arguably spear phishing. The scammer posing as a company executive and demanding that an unsuspecting employee wire money to an account belonging to the fraudster is a common spear phishing scam in businesses.
This is sometimes referred to as “whaling” and is a form of fraud against CEOs. Although scammers target all sizes of companies, attacks are becoming increasingly common against small companies.
Scammers are targeting businesses all the time, but here are a few examples of some high-profile attacks.
Ubiquiti Networks Inc
In 2015, more than $40 million in spear phishing attacks involving CEO fraud was handed over by this firm. Emails apparently sent from senior managers instructed workers to transfer funds from a Hong Kong subsidiary to third-party accounts. The emails simply came from the fraudsters and they owned the third-party accounts.
The city of Franklin, Massachusetts fell victim to a phishing cyber attack in a recent scam and lost over $500,000 to scammers. A city employee was convinced by the fraudsters to provide safe login information. To steal the funds, the criminals were then able to use this information.
As part of a scheme to steal consumer credentials, this online marketing firm was attacked in 2011, likely for use in other spear phishing attempts. Spear phishing emails could have been reported to contain a connection to a website that downloaded malware, which in turn disabled antivirus software, gave remote access to the device, and could be used to steal passwords.
Other common spear phishing scam examples
In addition to those particular examples, here are some more common example scenarios that you might encounter. All of these use data that can be gleaned from social media posts, particularly if you are likely to reveal data about where you shop, eat, bank, and so on.
- An online store email about a recent purchase. It may include a path to a login page where your credentials are simply extracted by the scammer.
- An automatic phone call or text message from your bank indicating that you might have compromised your account. In order to confirm that you are the real account holder, it tells you to call a number or follow a connection and provide information.
- An email that indicates that your account has been deactivated or is about to expire and that you need to click and provide credentials with a connection. Recent sophisticated examples of this form of fraud include cases involving Apple and Netflix.
- An email that asks for donations in your personal life to a religious organization or charity affiliated with something.
How To Avoid Spear Phishing Scams
We will provide tips to help both individuals and organizations defend themselves against these scams.
Here’s how to prevent spear phishing attacks:
- Increase awareness
- Use tools for defense
- Look out for fake emails
- Avoid clicking links and attachments
- Look out for phishing sites
- Avoid sending personal information
- Verify suspicious requests
- Use strong passwords and a password manager
Security teams must first train users to identify, avoid and report suspicious emails in order to stop spear phishing attacks. It is crucial for any employee to recognize that their roles give them access to a lot of different information in the information economy currency.
Based on our strong understanding of the business context and mailing ecosystem, we at ProgIST, have developed a unique cloud-platform “ProPhish”. We offer ProPhish based Employee Awareness Programme (P.E.A.P) which addresses the key lacunas mentioned in this article. Some of the key features included in the programme are:
ProPHISH comprises of numerous activities to train your most important first line of defense in the organization — the employees. . Get Started with top-class cybersecurity solutions for your business at Progist.