Table of Content:
Social Engineering in the 21st Century
Famous Examples of Spear Phishing
Three Tips to Defend Against Spear Phishing
What is Spear Phishing
Spear phishing is a specific type of social engineering attack where the hacker sends a fraudulent message to deceive a specific victim into performing a certain action.
This social engineering tactic in malicious message contains information of interest to the target, and an attachment.
Social Engineering in the 21st Century
Social engineering is the psychological manipulation of users into performing actions or giving up information that can be used to compromise a system, account or business. Social engineering has become one of the most reliable strategies for cybercriminals. In the 21st century, we have some of the most well-designed security solutions. Next-generation firewalls, IDS/IPS and other technical controls make it very difficult for hackers to bypass them if they are properly configured. Rather than trying to outsmart the technology, many hackers simply switch to targeting the human end users of a business. End users, by comparison, are much easier to trick and manipulate than technology-based solutions. This has led to the current state of affairs, where it's estimated that social engineering is responsible for as much as 90% of all data breaches.
Dangers of Spare Phishing
Due to it's method and communication style, spare phishing usually pull the victim to proceed the necessary steps, such is opening the attachment. After that, hackers perform actions that cause data or financial loss. Spare phishing uses several different tactics to achieve these goals:
1) Creating a sense of urgency: Many phishing emails will allude to a deadline or time limit that the recipient needs to perform a certain action, or else they will invoke a penalty. For example, you may get an email saying that you won a random drawing worth $10,000, and you have three days to reply to that email with your bank account information and social security number to claim that prize. Adding this time pressure, they hope to get people emotional and make them rush to act without thinking.
2) Imitating authority: Another tactic cybercriminals will use to imitate authority. They may email an employee while pretending to be their boss or a higher-up within the company. This makes the recipient less likely to refuse because they think the request is coming from someone with authority within the company, and they are afraid of the potential consequences of refusing the request.
3) Mimicking appearances: Many phishing emails will be designed to look like a legitimate business to increase the chances of the recipient believing that the email is real. This is extremely effective because most people receive so many emails a day that they only glance at the email before deciding whether it is suspicious.
All of the above elements make phishing emails more believable to the average employee, but not all phishing emails are equal in their deceptiveness. Spear phishing is a specific type of phishing email where the attacker researches the target individual and crafts a specific type of message that will convince that individual. For example, let's say an employee has a social media account that shows that they are a fan of American football. A hacker might use that information to craft a special phishing email claiming they won tickets to their favourite team's next game. Since this information is personalized to the person, there is a much higher chance that the person will fall for that trick, which makes spear phishing so effective.
How does Spear Phishing Work?
The hacker's research into their specific target makes spear phishing different from regular phishing attacks. In a normal phishing attack, the hacker will create a generalized message and send it out to a large group of people hoping to trick as many people as possible. In a spear phishing attack, hackers will use open-source intelligence sources like social media, LinkedIn, company directories, job postings and other sources of information to gather as much information as possible about the target. Then they will create a personalized message that will be sent to one person or, at most, a few people within the organization. While the scale of targets is much smaller for a spear phishing campaign, the success rate will typically be much higher.
Famous Examples of Spear Phishing
Ubiquiti Networks: This company was hit with a spear phishing attack that cost them $46.7 million due to an "employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department." This resulted in the transfer of money to overseas accounts that the attackers held.
Crelan Bank: An attacker was able to spoof (copy) the email account of the company's CEO and emailed an employee asking them to transfer funds into an account controlled by the attacker. This incident resulted in damages of over €75.6 million.
Charles Harvey Eccleston: He was a former employee of the Energy Department of the US government, and he was accused of sending spear-phishing emails to his former colleagues to embed spyware and malware on government computers. According to John Carlin, the Assistant Attorney General for National Security, "Eccleston sought to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent to allow foreign nations to gain access to that material."
Three Tips to Defend Against Spear Phishing
Security Awareness Training: Since humans are the target of these attacks, you must invest in educating your employees to lower the risk of them falling for these scams. Security awareness training should be performed annually for all employees and, more frequently, for upper management and executives.
Email Security: Modern security solutions can scan and filter out emails with malicious attachments, URLs, or matches the pattern of known malicious emails. This is an important way to reduce the number of phishing emails your employees are hit with.
File Scanning and Monitoring: You need to invest in file scanning and monitoring so that if malware is deposited on your computer systems from a phishing email, it can be detected and removed before it can damage the company.
Conclusion
Phishing is a social engineering attack that hopes to deceive the recipient into performing an action that will allow them to compromise the business. Spear phishing is a type of phishing attack where the attacker does research and creates a specially tailored message targeting a specific employee within the company. Spear phishing attacks require much more prep time but are far more effective than regular attacks. Sealit's secure spaces service is designed with file scanning and monitoring that can help defend against spear phishing attacks and other social engineering attacks that target businesses through email. For a free demo of our product, click the link here.