Phishing has become a greater and greater hazard to individuals and businesses each year. According to a 2019 Verizon report, 90% of confirmed spear-phishing email attacks occurred in environments that used Secure Email Gateways (SEGs), so don’t ever take the danger for granted.
While most phishing messages are delivered by email and are not personalized or targeted to a specific individual or company, be aware, the purpose of the phisher’s first spear-phishing emails is often reconnaissance. Often the attacker wants to gain information about the target network, its systems, and target individuals. While the type of reconnaissance may vary, it can include determining the mail system and defenses. Often, surveillance is as simple as finding out how quickly and when the emails are opened. This simple information can be used for a more successful campaign by a diligent cyber-criminal who incrementally penetrates their target.
What is traditional phishing vs. spear phishing?
Traditional phishing messages initially appear as simply “bulk mail” or spam. The content of the messages may vary widely depending on the attacker’s ultimate goal for each of their campaigns. Attackers conducting phishing may get users to click on a link to a website or perform a download. These activities could be the extent of the phish, serving simply as a jumping-off point to conduct other future cyber attacks. The end goal could be a few steps beyond and culminate with the theft of sensitive data or personal information. Armed with more and more information, the attacker could pivot and use the information they have gathered to spear-phish a more critical target within the organization.
Phishing and spear phishing attacks
Let’s back up a little bit, and start with a little more background. Traditional or spam phishing is simply a broad net thrown by the attacker to catch any unsuspecting person. Most phishing attacks fall into this category. While spam is the electronic equivalent of the ‘junk mail‘ that arrives at your doormat or in your postbox, spam can be more than just annoying. It can be dangerous if it’s part of a phishing scam.
Typical impersonation lures in this early phishing and spear-phishing emails could include internet service providers, banks and financial services, email and cloud productivity providers, as well as streaming services or industry associations. Anything to get engagement from the target.
Phishing spam messages are sent out in mass quantities by spammers and cybercriminals seeking to do one or more of the following:
- Make money from the recipients who respond to the call to action.
Obtain personal information, including passwords, spouse’s name, credit card numbers, bank account information, etc.
Spread malicious code onto recipients’ computers by having them click on a link.
Traditional phishing is one of the more popular means scammers use to get your info. However, be aware, as some cyber-attacks are targeted and prey on unsuspecting targets more than others.
What are snowshoe attacks?
One type of spam attack that hides phishing are snowshoe campaigns. When conducting snowshoeing, or “hit-and-run” spam, the attackers send messages over multiple domains and IP addresses. Again, each IP address, often bots, sends a low volume of emails, so reputation or volume-based spam filtering technologies can’t recognize and block malicious messages immediately. Some messages will likely reach the target’s email inbox in a snowshoe attack before the filters learn to block them. A snowshoe campaign is sustained over time and not a hit and run campaign.
Regardless, if the phishing campaign is not targeted and conducted in mass, or if it is targeted in the case of spear phishing, the end effect to the unsuspecting user can be equally devastating and upsetting.
What is a spear phishing attack?
So, now that we have a better foundation, let’s get back to the core subject of this article, “spear phishing,” and discuss how spear phishing attacks differ from standard phishing attacks.
While regular phishing attacks can come from any source, spear phishing can involve sending an email from someone or an organization already known and often trusted by the target. Sometimes, reconnaissance might come in as a legitimate request for help or a sales request. Once the person responds, the phisher may look at how the person writes, and also create a copy of the person’s email signature. Attackers simply leverage a few essential principles to make a convincing phishing attempt at spoofing.
So, unlike mass phishing attacks that simply send random emails to a large group of people, spear-phishing attacks limit their focus to highly targeted groups or even individuals. These attacks are not random and involve meticulous planning on scammers, typically through social engineering techniques, in identifying targets, sometimes researching them through social media, and preparing compelling messages that solicit action.
Most traditional phishing attacks cast a wide net; spear-phishing attempts are highly-targeted, well-researched attacks generally focused on a specific business or group of people. Spear phishing also often attacks particular individuals and, in the attacks, fraudulently seeks sensitive information, like financial details, personal information, trade, or military secrets.
Spear phishing emails are often highly sophisticated and are designed to evade detection during an email filter’s front-end tests by having rDNS, SPF and DKIM configured. These phishing messages are also rarely sent from blocklisted IP addresses and are sent from servers that pass DNSRBL checks. Sometimes these campaigns also use phone or text message campaigns to reinforce the email component of the campaign. Using more than one channel of communication makes them appear more credible.
The phish, impersonating someone or organization the user knows, will then ask the user for account information, make a payment, or take other action. The problem is, this approach can be practical, as you often won’t suspect a trusted contact or company you’ve worked with before to be an attacker in disguise. For this reason, these types of cyberattacks are often successful for attackers.
When this occurs, with businesses, often with high-level executive and CEO accounts, this type of phish is referred to as a Business Email Compromise. When attackers have gained access to employee accounts and have completed data breaches, they can do all sorts of damage, like asking them for account information or making a payment.
Thus, Cyber Criminals, therefore, like to target critical individuals in finance and accounting departments via business email compromise (BEC) scams and CEO email fraud. The end goal of the criminals is to attempt to trick victims into initiating money transfers into unauthorized accounts by impersonating financial officers and CEOs or performing data breaches.
Impersonation or Pretexting Phish
An impersonation phish is also known as “pretexting phish,” as there is a pretext or reason for a communication from the authority figure or someone that the employee or customer easily trusts. This example of a pretext phishing attempt would be one, which uses an email address familiar to the victim, like its CEO (CEO Fraud), Human Resources Manager, or the IT support department. The phishing email urgently asks the victim to act and transfer funds, update employee details, or install a new app on their computer. This type of phishing attack is often used to target users using a specific system to update their software.
In pretexting, attackers typically compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear-phishing email attack. When the attacker conducts an attack like this, typically, they will lurk and monitor the executive’s email activity for a period to learn about processes and procedures within the company. Once enough information has been gathered, the actual attacker will create a fake email that looks like it has come from the compromised executive’s account being sent to a regular recipient. The email appears essential and urgent and requests the recipient to wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
According to the Anti-Phishing Working Group’s Phishing Activity Trends Report for Q2 2020, “The average wire transfer loss from Business Email Compromise (BEC) attacks is increasing: The average wire transfer attempt in the second quarter of 2020 was $80,183.”
What is a whaling, phishing attack?
As mentioned, spear phishing is a highly targeted, well-researched attack generally focused on a group of individuals. When a phisher goes after a big one, it’s called, “Whaling.”
Whaling is a bit different in that its specific target is a business executive, public persona, or other lucrative targets. Whaling is a phishing attack where the victim is considered high-value. Therefore the stolen information will be even more valuable and contain far more sensitive data than what a regular employee may offer. For example, in whaling, the cybercriminal understands that the account credentials belonging to a CEO will open doors to more types of information than an entry-level employee.
In the end, whaling will require additional research because the attacker needs to know who the intended victim communicates with and the type of discussions they have. The types of information they might be seeking include customer or business issues, legal subpoenas, or even a problem in the executive suite. Typically whaling attacks are well researched, with attackers starting with social engineering to gather information about the victim and the company before crafting the phishing messages used throughout their whaling attack. Also, whaling attacks are rarely one-off but consistent, sustained campaigns against high-value targets.
How do we prevent phishing?
Since phishing is alive and no one solution catches everything, what should we do?
- The first step is straightforward and involves simply making sure your email filtering is diverse and robust. If you use one type of filtering, the bad actors learn to thread that needle. Having many needles for them to thread makes it far more challenging to get through. Take a look at my earlier article titled “The more filters, the better! And determine what steps you are taking already and what steps you are missing. Also, don’t believe that one email security source is a silver bullet. Even Office 365 is vulnerable, mainly since executives within companies that use the platform are regularly targeted. So remember, while one vendor might not identify a specific threat, while another will.
- Separately, remember, a critical component of robust cybersecurity is the human element and the ability of your users to consistently detect and avoid phishing and spear-phishing attempts that land in the inbox. Ultimately, the organizations that fight to phish successfully do it by training their employees to fully understand the different types of phishing emails and recognize the warning signs; within their security awareness training so they can be on the lookout for each scenario.
Given their highly personalized nature, spear-phishing attacks are far more difficult to prevent than common traditional phishing scams. No fixed script can be followed to avoid spear phishing, but ensuring diversity in your filtering layers and following best practice awareness training always works. Remember, Phishing isn’t going anywhere soon, so as long as people send email and use social networks for communications, spear-phishing will be a weapon of choice for cybercrime.
The critical thing to remember about phishing, particularly spear phishing, is that email is a social engineering aspect of the attack. The phisher focused on a specific target to take action, and the target was not chosen at random. The effort the attacker wants to be taken is based on the premise of: it’s expected as part of the target’s job function, or the target is motivated to take action, based on the urgency of the context of the message.
For spear phishing to work, the message needs to be crafted to imitate someone already known to the target personally or professionally. In addition, the message content must be timely, logical, and contextual.