Contrary to popular belief, most cyberattacks don’t rely on some distant attacker “hacking their way into the mainframe” or whatever caricature Hollywood would have you believe. Most attacks are due to careless employees leaving the door wide open for attackers to waltz right in and take what they want.
Many of these attacks rely on “social engineering” to gain access to systems, data, and money. Social engineering is the use of deception to manipulate people into giving up valuable information or access.
Think of it as con artistry for hacking. One of the most popular forms of social engineering is phishing and today we’re going to cover a specific type: spear phishing.
- Phishing is a social engineering cyberattack method that uses email or other online communication means ― most often email ― to fool victims into clicking on malicious links.
- Spear phishing is a focused attack on an individual target through a carefully designed stream of communications.
- Antiphishing software is meant to detect phishing attempts and actively prevent these processes from going through, to avoid spear phishing breaches is to teach your staff how to spot and avoid phishing attempts.
Table of Contents
What is Phishing?
Phishing is a social engineering cyberattack method that uses email or other online communication means ― most often email ― to fool victims into clicking on malicious links. This action results in giving up sensitive information, and/or providing gateways for attackers to plant malicious software.
To maximize the number of victims, attackers typically send out phishing communications to a large pool of targets. These attackers use all kinds of well-known brands and common time-sensitive issues to gain trust and urge actions meant to extract information from their intended targets.
For example, a popular phishing scheme uses the name of a reputable bank, such as Chase, Wells Fargo, or Bank of America, in the attack email and claims that an issue has come up with your account.
The email prompts you to click on a link to resolve the issue, which then prompts any number of results, such as:
- The link takes you to a fake landing page intended to mimic one from the brand in question that prompts you to enter sensitive login information or other identifying information
- The link will begin a file download of malware, ransomware, spyware, worms, or trojans
An example of a phishing email. Note the long ― and irrelevant ― sender address as well as the broken image and “Chase” spelled with a lowercase “c”
These types of attacks appear not only in emails but also in social media messages, forum comments, and many other communication methods online.
What Is Spear Phishing?
So, what sets spear-phishing apart? The major difference between the two is the target.
While phishing relies on sending out large quantities of communications to as many recipients as possible, spear phishing is a focused attack on an individual target through a carefully designed stream of communications.
How to Avoid Spear Phishing
Like most cyber security threats, the most important thing you can do to avoid spear phishing breaches is to teach your staff how to spot and avoid phishing attempts.
Approximately 98% of cyberattacks rely on social engineering with 43% of information technology (IT) professionals having been targeted by social engineering in the last year alone, according to Security Boulevard.
With so many attacks relying on manipulating personnel within your organization, it’s crucial that your staff is trained to spot phishing and spear-phishing attempts as well as what to do when receiving these messages. Here are the major pointers.
Confirm the Sender’s Email Address
This is one of the easiest ways to verify whether the message is from a legitimate source. Spear phishing attackers typically attempt to impersonate a trusted individual, such as a company CEO or manager to extract information from a target.
If the email address or message seems questionable, verify whether this is the official address of that sender by checking it against company records or your own inbox.
Inspect the Message Content
Message content is another potential red flag when dealing with spear-phishing emails. These emails are sometimes poorly written, sprinkled with identifying information you can find online, and sometimes even have outdated company graphics that are meant to fool you into believing the email is legitimate.
These spear-phishing emails make odd requests for information that have never been requested before, such as payment statuses or contact information.
Check the Subject Lines
Subject lines are a great place to look for warning signs of phishing attempts. Some attackers use words like “urgent” to inspire action or include a “RE:” in the subject line to trick targets into thinking there’s an ongoing conversation between you two.
Questionable Links and Attachments
Spear phishing attacks frequently rely on the delivery of malware via email. These emails include prompts to click on links and once you do you’ve potentially exposed yourself to malicious file downloads.
One way to safely verify a link is by right-clicking on it and using the “Inspect” tool to check where it’s supposed to go. If you still aren’t sure, there are plenty of link inspection services, such as ScanURL.net and PhishTank that’ll look for all kinds of suspicious materials.
Knowledge is power when preventing spear-phishing attacks. When your staff is your weakest link, it’s important to regularly train your personnel. Make sure you include this training when putting together your digital security plan.
There’s always the possibility that an attacker slips through the cracks and gets the best of someone within your organization. That’s why it’s important to invest in antiphishing software as a second line of defense against attackers taking advantage of your employees.
Antiphishing software is meant to detect phishing attempts and actively prevent these processes from going through. When selecting an antiphishing solution, there are several key features you have to have:
- Spam filters: Email providers like Microsoft Outlook and Gmail have their own built-in spam filters, but even they can’t stop every clever attempt to land in an employee inbox. An additional spam filter provided by antiphishing software helps to catch those sneaky emails that fall through the cracks.
- File identification systems: Your antiphishing software must be able to scan emails for malicious files to prevent unintentional downloads.
- Link scanning: Malware and data extraction websites are typically embedded in links. Your antiphishing software must be able to scan and prevent users from clicking on dangerous links.
- Integrations: Any worthwhile antiphishing software must be able to integrate with some of the most popular office tools used to communicate information, such as Office 365, G-Suite, and Slack.
Whichever software vendor that you go with, these features are the minimum table stakes for preventing spear phishing attacks. Anything less leaves you and your organization potentially exposed to clever online predators. The good news is many antivirus software options include antiphishing features.
Who Are the Most Likely Targets of Spear Phishing
While it’s important that your entire organization is educated on the dangers of spear phishing and the methods to prevent such attacks, there are certain roles that are far more likely to be targeted, such as:
- Executive assistants: Assistants are a prime target of spear phishing attacks since they have a lot going on in their day-to-day work to miss a carefully structured attack. These assistants are high-value targets since they regularly have access to all kinds of information, including payment methods, executive travel plans, employee data, and have their hands in many different departments of the organization.
- These kinds of targets are especially vulnerable when starting out since they have so much access to information with very little understanding of how things work at that particular organization. Newly hired assistants must be brought up to speed on best practices for avoiding spear phishing attacks.
- Sales personnel: Working in sales is a fast-paced role with regular opportunities to speak with people outside of the business. Sales personnel are expected to act quickly and are given access to lots of intellectual property, making them fantastic targets for spear phishing attacks. Attackers look to exploit their willingness to speak with outside personnel to gain access to your organization and expand from there.
- Finance personnel: Those people in your organization with access to financial information are bound to become targets for spear-phishing attempts. The level of personally identifiable information and sensitive company data makes them valuable catches for any hacker lucky enough to catch one off-guard.
- Human resources: Just like finance, human resources (HR) is chock full of personally identifiable information and since they receive a healthy influx of communications from all over the organization, clever hackers look to them as an entry point to more valuable company data.
- C-level executives: It’s harder to gain access to C-Level Executives because access to them is guarded by “gatekeepers,” such as executive assistants and an increased cybersecurity effort but it’s possible. Some hackers clever enough to gain entry through a CEO or chief financial officer (CFO) gain access to mountains of valuable information.
While it isn’t inconceivable that an attacker might target a chief technology officer (CTO), chief information security officer (CISO), or other IT personnel due to the access they have, these attacks aren’t as common due to their knowledge of attack vectors and strategies. From the perspective of an attacker, why sink effort into a tough target when an inexperienced assistant or salesperson provides a path of least resistance?
Education and Protection Are the Keys
The threats mounting out there may seem insurmountable but, rest assured, that they’re all built on the same ideas. Hackers want the biggest payoff for the smallest amount of effort and exposure.
Stopping most attacks require you to take the necessary steps to educate your workforce and provide the right computer security software tools required to frustrate hackers enough to turn their attention elsewhere.