You work in your company’s finance department, making sure all the bills get paid on time.
You’re wrapping up your day and about to put your computer to sleep for the evening when a new email pops up. It’s from your boss, and it looks urgent. She’s asking for the necessary information to transfer some company funds for a last-minute project she’s working on.
A little voice in your head advises caution, but your boss is clear: this needs to be done now.
What do you do?
Though the email described in the situation above could be legitimate, you need to be sure it’s not a spear phishing scam, one of the most significant threats to cybersecurity today. What is spear phishing and how can it be avoided? Read on for our quick guide to avoiding the bait.
What is Spear Phishing?
Your run-of-the-mill phishing scam casts a wide net, sending millions of emails in hopes of netting a few hundred victims. This sort of scam operates on quantity above all else, the intention being to snag multiple users with easily produced and easily sent emails.
Spear phishing is the exact opposite. A spear phishing scammer will have very specific goals and very specific targets. These scammers will take the time and energy to research their victims, or colleagues of victims, to craft phishing emails that a have a better chance of being opened.
And their work often pays off: A 2016 survey revealed that 84% of respondents experienced spear phishing attacks that got through their security measures. Additional research suggests spear phishing emails can have success rates nine times higher than generic phishing emails. With the average cost of a spear phishing attack clocking in at $1.6 million, time spent by scammers research victims seems well worth it.
Anatomy of a Spear Phishing Attack
Let’s break down the components of a hypothetical spear phishing attack:
1. Target identification
First, the attacker picks out a target to impersonate (referred to as business email compromise, or BEC). These might include company executives or high-level managers with an elevated level of access. Anyone from whom a request for financial data or employee records would not seem out of place. This is also one of the reasons, by the way, company executives should not be overlooked when it comes to awareness training.
From here, the second target (the recipient of the spear phishing email) is selected. These employees would be those with access to sensitive (and valuable) company information, or employees with the authority to transfer funds. HR managers are often on this list, as they are responsible for the tax information of every employee at the company.
2. Intelligence gathering
In this phase, the attacker scours social media sites and company websites for enough information to build a believable spear phishing email. This information will not be limited to email addresses of executives or managers, which shouldn’t be posted on a company website, anyway. Details on professional affiliations, certifications, even posts about upcoming vacations are all fodder for industrious email scammers.
3. Crafting the message
Here is where the rubber meets the cyber-road. In this step, the attacker will use all the information collected in step two to craft an email the spear phishing victim will expect. This could mean a high-priority request for employee records from a “CEO” who’s working remotely. This could mean including an attached document that needs to be reviewed ASAP. The goal of a hyper-targeted spear phasing email is the same as any other phishing attempt: get the user to take an action that will benefit the scammer.
4. Making sure the email arrives
Many technical solutions exist to prevent phishing emails from hitting employee in the first place. But none is 100% effective. One common sign of a spear phishing email is a spoofed display name in the email’s “from” field, in which a trusted name is made to appear as the sender. A survey from cloud security company GreatHorn found that display name spoofs were involved in 91% of the 537,000 phishing emails researchers analyzed in 2016. Once the email gets through this hurdle, all the user has to do is click the link or open the attachment to give the attacker what he or she wants.
Tactics of a Spear Phisher
While the variety of individual spear phishing emails is limited only by the attacker’s imagination, many share three common strategies. In fact, all three of these tactics can often be seen in the same email. We’ve summarized them below with some tips on how to avoid them:
If an email appears to come from a co-worker or someone you trust but just feels a little off, you should follow your gut. For starters, hit the “reply” button on the email to see where any message you send would actually be going. A spoofer may have masked the “from” address but not the true “reply-to” address. Be careful, though, not to actually reply to the email.
Additionally, ask yourself: What information is the sender requesting? Does the sender usually ask for this sort of information via email? If the request itself seems odd, double check by starting a new email thread to the alleged sender confirming the request for information. Or, if you work in a small company like I do, pick up the phone or walk down the hall. A potential breach of personal employee information was thwarted by the HR director of a client of ours after she walked to the CEO’s office in person to verify his request. Turns out he hadn’t actually asked for employee W-2 information.
Though “to whom it may concern” can be a telltale sign of phishing email, a personalized greeting does not always guarantee a legitimate message. A spear phisher will have done research on a target and will at the very least know his or her first name. Emails like this may come in the form of unsolicited requests to confirm account information, or unexpected password reset requests, all with your first name at the top of the message. Security experts suspect a fake Gmail account reset request allowed hackers into the Democratic National Committee email system.
No information should be entered from any screen linked from a suspicious account or password reset email. Gmail and other large organizations who handle hundreds of millions of email accounts have set procedures for password resets. Take the time to learn them so you’ll know what a legitimate request should look like. If an email request like this seems off, delete it and visit the site holding your account information (ex. Gmail.com) to change your password.
A phishing target is more likely to take a quick, risky action if they think they’re in some sort of trouble. It’s a tendency buried deep in the human brain, and scammers of all sorts are willing to take advantage of it. In the context of spear phishing, playing on a target’s emotions can be even more effective when combined with a spoofed display name, for example. Imagine your adrenaline surging as you read an angry email appearing to be from your boss, urging you to open an attached report. Falling for this one doesn’t seem so unlikely, does it?
While real bosses sometimes do send angry emails, an unexpected inflammatory message, especially if it’s asking you to take quick action, should be looked at with skepticism. Try to think about the context of the email and if strong words or emotion-laden pleas are truly warranted.
Solving the Root Problem
Phishing works because humans keep falling for it. No measure, technical or not, is going to stop every spear phishing email 100% of the time.
As doom-and-gloom as that sounds, we try to see the positive in it. The root cause here is simple: employees taking unnecessarily risky actions when it comes to email. The solution? Equip your employees with the tools they need to make smarter decisions.
This comes from security awareness training initiatives that achieve real behavior change. Such programs include employee assessments, such as simulated phishing tests designed to glean who among your employee population is most susceptible to phishing.
But simulated phishing campaigns should not stand alone. Employees that take the bait will need follow-up training content, ideally served in a variety of forms, to drive home the importance of keeping safe from phishing and how to do so. A multi-pronged approach to anti-phishing education will give your employees the best chance of avoiding the bait.
To see MediaPro’s own Phishing Simulator in action, with newly added spear phishing capabilities, click here to schedule a demo and to learn how our Simulator can be integrated into a comprehensive security awareness program.
This post is based on our on-demand webinar: Keeping Users of the Spear Phishing Hook. Check out the webinar for free!