Phishing Deep Dive: Spear Phishing

Spear phishing and classic phishing are not one and the same. Discover how spear phishing emails differ from their classic counterparts and how to protect your company from spear phishing scams.

Spear phishing and classic phishing email attacks are not one and the same. From a bird’s eye view, they look remarkably similar. That’s because in both types of scams, cybercriminals masquerade as a reputable person or a legitimate organization in order to dupe the email recipients into providing sensitive information (e.g., account numbers, login credentials) that will ultimately be used to steal money or data.

However, a closer look reveals some important differences. For starters, hackers send significantly fewer emails in a spear phishing scam because the emails are customized. Instead of sending a generic email to the masses, the cybercriminals target specific individuals and personalize the emails sent to them. The emails typically include the target’s name and present the call for action (i.e., the action they want the person to take) in a context that makes sense to the recipient. Because these scams take more time and effort to carry out, companies are typically targeted, as they often have deeper pockets than individuals.

Table 1 highlights how spear phishing emails differ from classic phishing emails.

Table 1. Comparison of Classic Phishing and Spear Phishing Emails

  Classic Phishing Emails Spear Phishing Emails
Target Individuals and businesses Businesses
Distribution size An extremely large number of people A small number of people
Personalization None Moderately personalized
Greeting No greeting, a generic greeting, or the recipient’s email address The email recipient’s name
Tone of message Urgent tone Softer, more professional tone
Desired action Click a link or open an email attachment Click a link or open an email attachment
Context in which the call for action is presented One-size-fits-all context that might not make sense to some recipients Context is personalized and makes sense to each recipient
Has a deceptive sender email address Sometimes Often
Includes misleading links Often Often
Has a weaponized email attachment Sometimes Sometimes

 

How Hackers Personalize Their Emails

Hackers use a variety of techniques to get the information they need to personalize the spear phishing email. After they select a company to attack, they might do some or all of the following:

  • Visit the company’s website to learn about the company’s operations and to obtain employees’ names, titles, and email addresses.
  • Visit social media sites like LinkedIn and Facebook to obtain information about the company and its employees.
  • Perform Internet searches to learn the industry lingo and become familiar with common processes used in the industry. Cybercriminals also might perform searches to learn more about the employees who will be receiving their spear phishing emails.
  • Send out classic phishing emails to all employees at the company. The emails might request details about the business or a certain employee. Or the emails might install malware designed to obtain some data needed to carry out the spear phishing attack.
  • Call the company to get specific information (e.g., a job title or email address) the hackers haven’t been able to attain elsewhere.

After the hackers have the information they need, they create the spear phishing email. They try to get it to look like a legitimate email from the person or organization they are masquerading as. That way, the email’s legitimacy is less likely to be questioned.

 

How to Protect Your Business from Spear Phishing Attacks

To protect your business from spear phishing attacks, you can use a two-pronged strategy. First, you should try to prevent spear phishing emails from reaching your employees by keeping your company’s email filtering and security software up-to-date. You might even want to consider getting an email security solution designed to catch spear phishing and other types of malicious emails. In addition, you should make sure that potentially sensitive information (e.g., employee email addresses) is not publicly available.

Second, you need to educate employees about spear phishing emails. Because spear phishing emails are personalized, they are more difficult — but not impossible — to spot. Show employees how to check for deceptive sender email addresses and misleading links, as they are often found in spear phishing emails. And be sure to warn employees about the risks associated with opening email attachments, as they might be weaponized.

If you would like more recommendations on how to protect your business from spear phishing and other email-based attacks, contact us.

 

Phishing flickr photo by EpicTop10.com shared under a Creative Commons (BY) license