Spear Phishing Definition, Examples and Prevention
By now, most people are aware of at least some form of a phishing scam, but the basic premise of phishing continues to morph and grow into a wide variety of scams. The type of scam used often depends on the type of information being sought. Phishing scams used to obtain personal information from individuals are often vastly different from the types of phishing scams aimed at businesses and corporations. In addition, while many phishing scams are clumsily produced and full of typographical or grammatical errors that quickly give their fraudulence away, scams aimed at high-value targets can be significantly more realistic or believable. One of the most personal types of phishing is known as spear phishing.
What is Spear Phishing: What is the Difference Between Phishing and Spear Phishing?
As the name implies, spear phishing is a much more targeted type of phishing and generally has a specific aim or goal. In some cases, it might be to obtain the login credentials of a high-value target, while in other cases it may be to gain direct access to sensitive information.
Spear Phishing Examples: How Does Spear Phishing Work?
In most cases, phishers will browse the websites of large corporations to get the names of C-Suite executives or high-level managers. Then they will then create email accounts using their name. All too often when employees get an email that seems to be from their boss or a high ranking executive, they don't bother to check the full return email address, they only see the name. In addition, many businesses and large corporations use the first initial, last name and corporate domain name as the email address, making it very easy to get an email to the right individual. They may call the company and ask for a certain executive, then use some type of ruse to get the full name of their assistant. With the name of their assistant, they can generally send them a spear phishing email just using their first and last initial.
Spear Phishing & Cybercrime
The type of information phishers are looking for may vary. In most cases, they are looking for login credentials, but different types of login credentials will also give them access to different types of information. Overall, they are looking for the login credentials of the most senior executives, but they can often work their way up to those by gaining the credentials of more junior employees. Many executive assistants are in possession of their boss' credentials as well so the phisher may end up with the credentials of a high ranking executive by simply going through a much more junior employee.
Login information is also not the only type of valuable information low-level employees may have access to. In some cases, phishers will simply craft a spear phishing email that is ostensibly from their boss, asking for the specific information directly. This might include client lists, guest invitation lists for high profile events or even medical records. In many cases, this information alone can be sold for a significant profit, without even needing to gain login credentials.
Targeted phishing is also an effective way of infecting networks with malware or even establishing a remote link to the system. By now, most people know not to download anything that is not from a trusted source, but they rarely think twice about downloading things that seem to come from a trusted source. For instance, a phisher may discover from either calling the business or simply looking at an employee's social media profile that they are currently on vacation. They can then send a spear phishing email to a colleague with a photo attachment that is labeled as being from their vacation. Not only does the spear phishing email appear to be from a trusted source but the very fact that it seems to be a vacation photo from someone currently on vacation only serves to decrease suspicion even further.
Other tactics phishers use is to hide a fake email address in a group email with a number of other legitimate addresses. A large group email can also serve to lower any individual employee's suspicions. All a phisher needs is for one individual in the group email to click on an attachment or download a file. As soon as they click on the attachment, they may also download malware such as ransomware or allow a hacker to establish a direct link with the network that bypasses the usual VPN and antivirus protocols set by the company. Once the hacker has a direct link with the system, they generally have free reign over it. According to a Trend Micro report, 91% of all cyber attacks begin with a spear phishing email, including some of the biggest cyber crimes of all times.
Spear Phishing Prevention: How To Prevent Spear Phishing Attacks?
One of the drawbacks of many modern email programs, such as Outlook is that in an attempt to simplify and streamline the system, they have actually created a huge vulnerability to this type of attack. Many modern programs will only show the name of the sender, not the entire email address. While this significantly cuts down on visual clutter, it also makes it more difficult to remember to check the entire email address of a new email before responding. One way businesses can protect themselves is to ensure the full sender's email address is displayed, rather than just their name and then train employees to check full email addresses before clicking any links or downloading any attachments.
Because phishers can use targeted scams to gain access to a system that bypasses security protocols, unfortunately, good security protocols are not actually the best answer to preventing this type of attack. Which is also what makes it the most effective. Ultimately, education, training, and awareness is the best (and possibly only) defense against this type of phishing scam.
iovation is a leading provider of fraud prevention software including advanced multifactor authentication solutions to fight e-commerce fraud, insurance fraud, online gambling fraud, ticketing fraud and many other types of fraud.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.