Table of Contents
What is Spear Phishing?
Spear phishing is a personalized phishing attack that targets a specific organization or in dividual. These attacks are carefully designed to elicit a specific response from a specific target. Attackers invest time in researching their targets and their organizations to craft a personalized message, often impersonating a trusted entity. All this makes the message look trustworthy to the recipient.
To increase success rates, these attacks often convey a sense of urgency to get their victims to react. They may be asked to wire money right away, to open malicious attachments, or to click on a link that takes them to a phishing site that requires them to provide login credentials or other sensitive data.
The data gathered can be used to access existing business or personal accounts with fraudulent intent.
Types of Spear Phishing Attacks
- Business Email Compromise (BEC): This is also known as CEO fraud, whaling, and wire transfer fraud. In a BEC attack, criminals impersonate an employee, usually an executive or manager, within the organization. Using convincing details and giving plausible reasons, they instruct their targets — who are often employees with access to company finances or personal information — to wire money or to send sensitive data such as financial information about customers, employees, or partners. These attacks utilize social engineering and compromised accounts, and they typically include no malicious attachments or links.
- Impersonation: This includes a large number of spear-phishing attacks that impersonate a trusted entity such as a well-known company or a commonly used business app such as Office 365, Gmail, or DocuSign. They may also impersonate a trusted colleague or business partner. These attacks typically try to get recipients to give up account credentials or click on malicious links. For example, you might receive an email claiming your account has been frozen and giving you a link to reset your password. If you click, you’ll go to a fake portal and enter your credentials — and now the crooks have unfettered access to your account. They can They can use that access to steal confidential data, conduct financial fraud using your account, or launch a more targeted attack within your organization.
What Are The Goals of Spear Phishing Attacks?
The most common goals of spear-phishing attacks include:
- Requesting a wire transfer
- Requesting sensitive or proprietary information
- Spreading malware or ransomware
- Stealing account login credentials
- Taking over corporate acocunts
Why Are Spear Phishing Attacks Difficult to Detect?
How to Prevent Spear Phishing
Effective protection against spear-phishing attacks requires new approaches. You need to deploy new technology purpose-built to protect against spear phishing, along with advanced user-training programs to continuously improve security awareness across your organization.
- Technology: Anti-phishing solutions use alternative methods to spot and block spear-phishing attempts. One approach that is shown to be effective uses machine learning to analyze normal communication patter 8ns within your organization. This allows the solution to spot anomalies that may indicate an attack. You should choose a solution that, at a minimum, includes:
- Anti-spoofing functionality to help detect impersonation attempts
- Account-takeover protection to block attacks from compromised accounts
- Social-engineering attack prevention to detect anomalies in email headers, senders, or body that indicate malicious intent
- Security Awareness: Many organizations employ homegrown or low-tech security awareness training to make staff more able to spot and report phishy emails. However, today’s advanced computer-based training programs are dramatically more effective. The best, most effective programs include:
- Phishing Simulation to evaluate and identify users that are more vulnerable to socially engineered attacks
- Security Training to proactively detect and report phishing attacks, lowering the risk of future attacks
- Multi-vector simulation training that includes email, SMS, voicemail, and portable-media
- Reporting and Insight to detect trends and patterns and assess the effectiveness of security awareness training