How would you react if you received an email message asking you to read a specific article, link included? If it looked like advertising, you would probably ignore and delete the message, right? But what if it came from your boss? Then you would probably reply, even if it was just to say you need a few days to get to it. What if it came from your boss’ boss? What if she called you by your work nickname, mentioned a critical project you’re working on and said this article hinted that the customer wasn’t happy with your team and might be considering a change? What if she said she wanted a proposal to address the issues in 48 hours or she would tank your annual review? She even included a link to the article, from an industry journal that would require you to log in. That might give you pause. It is your boss’ boss after all.
Email security is one of the most challenging issues for any business today. Risks and scams come from all directions, and are increasing at lightning speed. Latest statistics show:
- 94% of organizations experienced a phishing attack in the previous 12 months.
- 68% of organizations saw the volume of impersonation/BEC attack increase.
- 73% of these victims experienced a loss resulting directly from the spear phishing attack.(1)
But even with this growing risk, “only 5% of security pros realize that phishing is the start of 90% of successful breaches.”(2) Seventy-one percent of groups launching targeted attacks use spear-phishing as the primary vector for penetrating an organization’s network. These hostile attacks are usually perpetrated by organized crime gangs or nation-states looking for intelligence or financial rewards.(3)
What is Spear Phishing?
Spear phishing, or targeted phishing, is the fastest growing threat to individuals and organizations today. The general rule for spear phishing is that the scammer has researched and gained information specific to the victim(s), generally from public sources such as social media, newspapers and corporate websites, or even records leaked from previous data breaches. Unlike a general phishing scam, spear phishing attacks are designed to gain something specific that is of value to the attacker, like money, access to information, or data. Spear phishing can take many forms – by email, sms text (SMiShing) and sometimes voice (vishing). Some examples include:
- Mass email to a retailer’s customer list that was posted on the dark web (the scammer knows everyone on the list has shopped with this retailer)
- Small group email to employees of a particular company, with a document attachment like an updated Employee Handbook or a request to update forms for direct deposit, taxes or other HR issues that require sensitive personal information (scammer knows everyone works for the same company and probably knows the names, job titles and contact information for the person sending the request)
- Small group email targeting a closed Facebook group of parents with children at a particular school (scammer knows everyone is a parent with a child at the school and may know where they all live or the children’s names or ages)
- Individual text message targeting someone who overshares on social media (scammer may know where the victim lives, employer, job title, names of colleagues or family members, religious/political affiliation, hobbies and interests, etc.)
- Individual email targeting a specific HR manager or payroll specialist who works at an infiltrated company (scammer may be setting up a BEC and spear phishing to gather additional information)
Group Spear Phishing
When targeting a group, spear phishing emails and messages are usually geared toward credential theft. Since most people reuse their passwords across multiple accounts (4), scammers often try to harvest credentials in larger quantities via group phishing. Once they have a reasonably long list of current usernames and passwords, they then test the username/password combinations with other websites and services (called credential stuffing) because the odds are so high that they are likely to gain access to additional accounts. Over 60% of hacking incidents make use of stolen credentials, so clearly it’s working.(5)
Individual Spear Phishing
Individual spear-phishing messages are often even more dangerous. They are carefully crafted and sent from new email addresses from popular domains like gmail or aol.(6) These types of messages can be received through the victim’s work or personal email accounts. They are most likely to target employees in finance, HR, or the c-suite, looking for usernames/passwords to corporate networks, sensitive employee information or direct financial gain.
Since these messages are sent to only one person, often without links or attachments, and from new addresses with common domains, email scanning software is unlikely to identify the risk. Due to the time and patience scammers are taking to gather details and mimic legitimate communication, they are often almost undetectable.
Lateral Spear Phishing
A newly identified type of spear phishing, Lateral Spear Phishing makes use of compromised credentials. Using these stolen credentials to access a victim’s valid email account, hackers launch phishing attacks to the victim’s contacts. Messages are sent to internal colleagues, business and personal contacts, to collect information and make fraudulent requests. One in 7 organizations has experienced a lateral phishing attack since the beginning of 2019, and 60% of victim organizations have multiple compromised accounts.(7) Since the messages originate from a valid email account at a legitimate organization, these messages are particularly difficult to identify, raising the risk of irreparable damage to the victimized company. It is the equivalent of “the call is coming from inside the house” trope in horror movies.
To learn more about emerging phishing threats, read GLS’ article Phishing Is Evolving: What You Need to Know Today.
CEO Fraud, or Business Email Compromise (BEC), is another thriving type of individual spear phishing. It accounts for the highest victim losses of all 30+ cybercrime categories tracked by the FBI, with 2018 losses totaling a hefty $1.3 billion.(8) This scam occurs when a con artist impersonates someone with authority and uses social engineering to convince a subordinate to transfer money or share private information. The authority figure might be someone in an organization’s c-suite, but it could be a mid-level manager as well. The scam may be only 1 message for one document or one change in account number. Or it could be a series of emails used to gather information from multiple people before requesting a large financial transaction that seems completely legitimate and is so well planned that it is unlikely to draw scrutiny.
To learn more about best practices for identifying and thwarting BEC attacks, read GLS’ article Fighting Back Against BEC.
Identify Spear Phishing Messages
The wide range of possibilities and surreptitious nature of spear phishing make it particularly difficult to spot these messages⏤one of the reasons it is so successful and has become so common. The latest tactics that are wreaking havoc for businesses include:
- Expertly-crafted, targeted email messages that follow business protocol, use insider terminology and sometimes even come from compromised but real email accounts
- Confident scammers who act very much like honest employees, encouraging their victims to be careful and ask questions, and who have answers for everything
- Spoofed email addresses, phone numbers and websites that are practically undetectable from their real versions
- Scammer-planned distractions or support tools, ready to redirect your attention or flood your inbox to cover their tracks
Protect Against Spear Phishing
Although spear phishing is difficult to catch, it’s not impossible. Stacking prevention measures so they work together is the best way to avoid a single point of failure. Changing policies, purchasing technological solutions and training users all work together to reduce the likelihood of becoming a victim. Some phishing prevention best practices to keep your organization safe include:
- Implementing a robust security awareness training program that includes details about recognizing and reporting spear phishing emails.
- Since phishing is ultimately about social engineering, your staff are your biggest risk point. Training them to recognize and resist spear phishing is one of the best ways to protect an organization.
- Use a phishing test program with a spear phishing option so employees get practice in recognizing risky messages.
- Creating and enforcing policies that require multiple approvals or verbal confirmation of requests.
- If regular protocol includes specific points when requests are inspected for legitimacy, there is a higher chance it will be caught by an organization’s standard procedures.
- Another stopgap includes creating a specific protocol for urgent matters.
- Using technology to your advantage.
- Implement a multi-factor authentication requirement. Secondary authentication improves the chances of stopping hackers who try to access a system with stolen credentials.
- Invest in an artificial intelligence (AI) detection system. A quality AI detection system can learn an organization’s unique patterns, allowing it to identify and quarantine messages that don’t match. It is a promising way to try to get a step ahead of these cybercriminals.
- Encouraging human interaction. Relying too heavily on technology for communication leaves us at the mercy of imposters who have manipulated the system to turn our tools of convenience against us.
What Can You Do?
Learn more about organizational security and how GLS’s Anti-Phishing Simulation Tool can help.
Employee awareness is critical to stop spear phishing. As part of our Human Firewall 2.0 security awareness program, Global Learning Systems offers a wide array of courses that help employees recognize spear phishing tactics:
- Avoiding Spear Phishing Threats – Module
- Social Engineering in Social Networks – Video
- Advanced Phishing/Ransomware Block
- Phishing Is Evolving. What You Need to Know Today
- Fighting Back Against CEO Fraud
- Apple Support Scam Exemplifies Modern Social Engineering
- I Received A Bitcoin Ransom Email (and I Am Glad I Did)
- Cyber Related Fraud – SEC Cracks Down on Internal Controls That Don’t Address Phishing
- I Will Never Be the Victim of a Phishing Scam. Or So I Thought
1 Mimecast. (2019, May). The State of Email Security 2019. Retrieved from https://www.mimecast.com/the-state-of-email-security-2019/?utm_source=blog&utm_medium=website&utm_campaign=7011N000001V1mKQAS
2 SlashNext. (2018, September). Phishing in the Dark Survey Report. Retrieved from https://www.slashnext.com/slashnext-2018-phishing-survey/
3 Symantec Corporation. (2018). Internet Security Threat Report, Vol. 23. Retrieved from https://www.symantec.com/security-center/threat-report
4 Ponemon Institute. (2019, January). The 2019 State of Password and Authentication Security Behaviors Report. Retrieved from https://www.yubico.com/authentication-report/
5 Verizon Communications. (2019). 2019 Data Breach Investigations Report. Retrieved from https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
6 Barracuda Networks. (2019, March). Spear Phishing: Top Threats and Trends. Retrieved from https://www.barracuda.com/spear-phishing-report
7 Cidon, Asaf. (2019, July 18). Threat Spotlight: Lateral Phishing. Barracuda Networks Blog. Retrieved from https://blog.barracuda.com/2019/07/18/threat-spotlight-lateral-phishing/
8 FBI Internet Crime Complaint Center. (2018). 2018 Internet Crime Report. Retrieved from https://pdf.ic3.gov/2018_IC3Report.pdf